CN103733563A - Information processing device, signature-generation device, information processing method, signature-generation method, and program - Google Patents

Abstract

Provided is an information processing device that: generates a message on the basis of a tuple (F = (f1, ..., fm)) of multivariate polynomials, said multivariate polynomials being defined on a ring (K), and a vector s (s belongs to Kn); provides said message to a verifier who knows the tuple (F) of multivariate polynomials and a vector y (y = (y1, ..., ym) = (f1(s), ..., fm(s))); and provides said verifier with response information corresponding to a verification pattern the verifier has selected from among k (k> = 3) verification patterns. The tuple (F) of multivariate polynomials comprises m third-order polynomials (f1, ..., fm) set such that G1(x1, x2) and G2(x1, x2), defined such that G1(x1, x2) + G2(x1, x2) = F(x1 + x2) - F(x1) - F(x2), are additively homomorphic with respect to x1 and x2, respectively.

Description

Messaging device, signature generation equipment, information processing method, signature production method and program

Technical field

This technology relates to a kind of messaging device, signature produces equipment, information processing method, signature production method and program.

Background technology

Along with developing rapidly of the information processing technology and the communication technology, document is by rapid digitlization and no matter document is public or private.Along with the digitlization of this document, many individuals and company have very large interest to the safety management of electronic document.In response to the increase of this interest, in various fields active research for the countermeasure of tampering (stealing or forging such as, electronic document).About stealing of electronic document, for example, by encrypted electronic document, guarantee fail safe.In addition, about the forgery of electronic document, for example, by guaranteeing fail safe by digital signature.Yet, when the encryption that will use or digital signature do not have highlyer while distorting resistivity, cannot guarantee enough fail safes.

Digital signature is used to specify the author of electronic document.Therefore, digital signature should be able to be only produced by the author of electronic document.If malice third party can produce identical digital signature, this third party can pretend to be the author of electronic document.That is to say, by malice, third party forges electronic document.About for preventing the fail safe of the digital signature of this forgery, varied opinions are expressed.As current widely used digital signature scheme, known for example RSA signature scheme and DSA signature scheme.

RSA signature scheme adopts " the large difficulty of closing several plain factorization (following, plain factorization problem) " as safe basis.In addition, DSA signature scheme adopts " difficulty that solves discrete logarithm problem " as safe basis.These bases based on: by the algorithm that uses classic computer to solve efficiently plain factorization problem and discrete logarithm problem, do not exist.That is to say, above-mentioned difficulty has implied the difficulty in computation of classic computer.Yet, it is said: when using quantum computer, can calculate efficiently the solution of plain factorization problem and discrete logarithm problem.

Be similar to RSA signature scheme and DSA signature scheme, many digital signature schemes of current use and public key verifications scheme also adopt the difficulty of plain factorization problem or discrete logarithm problem as the basis of safety.Therefore,, if quantum computer is put into actual use, will guarantee the fail safe of this digital signature scheme and public key verifications scheme.Therefore, wish to realize adopt with the problem that can easily be solved by quantum computer (such as, plain factorization problem and discrete logarithm problem) different problem is as basic new digital signature scheme and the public key verifications scheme of safety.As the problem that cannot easily be solved by quantum computer, for example, there is the problem relevant to multinomial.

For example, as the basic digital signature scheme that adopts multinomial problem as safety, known to Matsumoto-Imai (MI) cryptography, Hidden field equation (HFE) cryptography, Oil-Vinegar (OV) signature scheme and the cryptological digital signature scheme of training transform method (TTM).For example, in non-patent literature 1 and 2 below, the digital signature scheme based on HFE is disclosed.

Reference listing

Non-patent literature

Non-patent literature 1:Jacques Patarin, Asymmetric Cryptography with a Hidden Monomial, CRYPTO 1996, pp.45-60

Non-patent literature 2:Patarin, J., Courtois, N., and Goubin, L., QUARTZ, 128-Bit Long Digital Signatures, In Naccache, D., Ed.Topics in Cryptology-CT-RSA 2001 (San Francisco, CA, USA, April 2001), vol.2020 of Lecture Notes in Computer Science, Springer-Verlag., pp.282-297

Summary of the invention

Technical problem

As mentioned above, even if multinomial problem is the also example of insoluble problem (being called NP-hard problem) when using quantum computer.Conventionally, use is used the multistage polynary simultaneous equations with special trapdoor (trapdoor) by the public key verifications scheme of the multinomial problem of the representatives such as HFE.For example, provide and x ₁..., x _nrelevant multistage polynary simultaneous equations F (x ₁..., x _n)=y and linear transformation A and B, and linear transformation A and B are managed in confidence.In this case, multistage polynary simultaneous equations F and linear transformation A and B are trapdoors.

Know that the entity of trapdoor F, A and B can separate and x ₁..., x _nrelevant equation B (F (A (x ₁..., x _n)))=y '.The entity of on the other hand, not knowing trapdoor F, A and B cannot be separated and x ₁..., x _nrelevant equation B (F (A (x ₁..., x _n)))=y '.By using this mechanism, can realize adopting and separate the difficulty of multistage polynary simultaneous equations as basic public key verifications scheme and the digital signature scheme of safety.

As mentioned above, in order to realize public key verifications scheme or digital signature scheme, must prepare to meet B (F (A (x ₁..., x _n))) the special multistage polynary simultaneous equations of=y.In addition, when signature produces, must separate multistage polynary simultaneous equations F.For this reason, available multistage polynary simultaneous equations F is confined to the equation that relatively easily can separate.That is to say, in former scheme, the multistage polynary simultaneous equations B (F (A (x of three functions (trapdoor) B, the F that only use can relatively easily solve and the combining form of A ₁..., x _n)))=y, therefore, be difficult to guarantee enough fail safes.

Consider above-mentioned situation and propose this technology, and this technology aims to provide a kind of so new improved messaging device, new improved signature and produces equipment, new improved information processing method, new improved signature production method and new improved program: can use multistage polynary simultaneous equations that its Efficient Solution mode (trapdoor) is unknown realize efficient and there is public key verifications scheme or the digital signature scheme of high security.

The solution of problem

According to embodiment of the present disclosure, a kind of messaging device is provided, comprising: message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); Response provides unit, to verification person, provides with verification person and plants response message corresponding to the verification pattern selected among verification pattern from k (wherein k>=3).Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of messaging device is provided, comprising: information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s)); Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element; Pattern information provides unit, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k>=3); Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With verification unit, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s.Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of messaging device is provided, comprising: message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); Average information generation unit, the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information; Average information provides unit, and the 3rd information is offered to verification person; Provide unit with response, to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k>=2).Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

According to embodiment of the present disclosure, a kind of messaging device is provided, comprising: information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s)); Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element; Information provides unit, and the first information of random selection is provided to the certifier who gives information; Average information acquiring unit, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message; Pattern information provides unit, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k>=3); Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With verification unit, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s.Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

According to embodiment of the present disclosure, provide a kind of signature to produce equipment, comprising: message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); Mode selecting unit, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k>=3) plants verification pattern; Response generation unit, produces the response message corresponding with the verification pattern of selecting; Provide unit with signature, to verification person, give information with response message as label.Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of information processing method is provided, comprise the steps: the one group of multistage multinomial F=(f defining based in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); To verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k>=3).Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of information processing method is provided, comprise the steps: to be stored in by messaging device the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s)); Obtain the message of the vectorial s generation of the element based on described one group of multistage multinomial F and conduct set Kn; To the certifier who gives information, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k>=3); From certifier, obtain the response message corresponding with the verification pattern of selecting; With based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s.Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of information processing method is provided, comprise the steps: the one group of multistage multinomial F=(f defining based in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); The first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information; The 3rd information is offered to verification person; From k (wherein k>=2), plant response message corresponding to the verification pattern selected among verification pattern with providing to verification person with verification person.Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

According to embodiment of the present disclosure, a kind of information processing method is provided, comprise the steps: to be stored in by messaging device the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s)); Obtain the message of the vectorial s generation of the element based on described one group of multistage multinomial F and conduct set Kn; The first information of random selection is provided to the certifier who gives information; Obtain the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message; To certifier, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k>=3); From certifier, obtain the response message corresponding with the verification pattern of selecting; With based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s.Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

According to embodiment of the present disclosure, a kind of signature production method is provided, comprise the steps: the one group of multistage multinomial F=(f defining based in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); Based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k>=3) plants verification pattern; Produce the response message corresponding with the verification pattern of selecting; With to verification person, give information and response message as signature.Described vectorial s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of program is provided, described program makes computer realization: message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); Response provides function, to verification person, provides with verification person and plants response message corresponding to the verification pattern selected among verification pattern from k (wherein k>=3).Vector s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of program is provided, described program makes computer realization: information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s)); Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element; Pattern information provides function, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k>=3); Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With verification function, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s.Vector s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of program is provided, described program makes computer realization: message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); Average information produces function, and the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information; Average information provides function, and the 3rd information is offered to verification person; Provide function with response, to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k>=2).Vector s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

According to embodiment of the present disclosure, a kind of program is provided, described program makes computer realization: information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element; Information provides function, and the first information of random selection is provided to the certifier who gives information; Average information is obtained function, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message; Pattern information provides function, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k>=3); Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With verification function, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s.Vector s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

According to embodiment of the present disclosure, a kind of program is provided, described program makes computer realization: message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message; Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person); Model selection function, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k>=3) plants verification pattern; Response produces function, produces the response message corresponding with the verification pattern of selecting; Provide function with signature, to verification person, give information with response message as signature.Vector s is privacy key.Described one group of multistage multinomial F and vectorial y are PKIs.Message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message.Described one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

According to embodiment of the present disclosure, a kind of computer readable recording medium storing program for performing is provided, this medium makes program recorded thereon.

The beneficial effect of the invention

According to above-mentioned technology, can use multistage polynary simultaneous equations that its Efficient Solution mode (trapdoor) is unknown realize efficient and there is public key verifications scheme and the digital signature scheme of high security.

Accompanying drawing explanation

Fig. 1 is for describing the explanation diagram of the algorithm structure relevant to public key verifications scheme.

Fig. 2 is for describing the explanation diagram of the algorithm structure relevant to digital signature scheme.

Fig. 3 is for describing the explanation diagram all over the relevant algorithm structure of (pass) public key verifications scheme to n.

Fig. 4 is for describing the explanation diagram of the example of the special algorithm structure relevant to 3 times public key verifications schemes.

Fig. 5 is for describing the explanation diagram of the highly effective algorithm relevant to 3 times public key verifications schemes.

Fig. 6 is for describing the explanation diagram of the parallelization of the highly effective algorithm relevant to 3 times public key verifications schemes.

Fig. 7 is for describing the explanation diagram of example of the algorithm of the public key verifications scheme (scheme #1) of using 3 times high-order multinomials.

Fig. 8 is for describing the explanation diagram of example of the Parallel Algorithm of the public key verifications scheme (scheme #1) of using 3 times high-order multinomials.

Fig. 9 is for describing the explanation diagram of the example of the special algorithm structure relevant to 5 times public key verifications schemes.

Figure 10 is for describing the explanation diagram of the example of the highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 11 is for describing the explanation diagram of the parallelization of the highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 12 is for describing the explanation diagram of example of the algorithm of the public key verifications scheme (scheme #1) of using 5 times high-order multinomials.

Figure 13 is for describing the explanation diagram of example of the Parallel Algorithm of the public key verifications scheme (scheme #1) of using 5 times high-order multinomials.

Figure 14 is for describing the explanation diagram of example of the algorithm of the public key verifications scheme (scheme #2) of using 5 times high-order multinomials.

Figure 15 is for describing the explanation diagram of example of the Parallel Algorithm of the public key verifications scheme (scheme #2) of using 5 times high-order multinomials.

Figure 16 is for describing the explanation diagram of example of the efficient parallel algorithm of the public key verifications scheme (scheme #2) of using 5 times high-order multinomials.

Figure 17 is for describing the explanation diagram of example of another efficient parallel algorithm of the public key verifications scheme (scheme #2) of using 5 times high-order multinomials.

Figure 18 is revised as the explanation diagram of method of the algorithm of digital signature scheme for describing the highly effective algorithm relevant to 3 times public key verifications schemes.

Figure 19 is revised as the explanation diagram of method of the algorithm of digital signature scheme for describing another highly effective algorithm relevant to 3 times public key verifications schemes.

Figure 20 is revised as the explanation diagram of method of the algorithm of digital signature scheme for describing the highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 21 is revised as the explanation diagram of method of the algorithm of digital signature scheme for describing another highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 22 is for describing the explanation diagram of the parallel serial structure of the highly effective algorithm relevant to 3 times public key verifications schemes.

Figure 23 is for describing the explanation diagram of the serial parallel organization of the highly effective algorithm relevant to 3 times public key verifications schemes.

Figure 24 is the explanation diagram of the parallel serial structure (parallel serial structure #1) for describing the highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 25 is the explanation diagram of the parallel serial structure (parallel serial structure #2) for describing the highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 26 is for describing the explanation diagram of the serial parallel organization (serial parallel organization #1) of the highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 27 is for describing the explanation diagram of the serial parallel organization (serial parallel organization #2) of the highly effective algorithm relevant to 5 times public key verifications schemes.

Figure 28 is the explanation diagram that can carry out according to the hardware configuration example of the messaging device of the algorithm of each embodiment of this technology for describing.

Figure 29 is arranged on for describing the most suitable method of parameter and the explanation diagram of beneficial effect using mutually according to the public key verifications scheme of first embodiment of this technology and the second embodiment.

Embodiment

Below, describe with reference to the accompanying drawings the preferred embodiments of the present invention in detail.It should be noted that in this specification and accompanying drawing, the element with substantially the same function and structure is represented by identical label, and omits repetition of explanation.

[flow process of description]

Here, by the flow process of the description of the embodiment of this technology that briefly description will be carried out.First, the algorithm structure of public key verifications scheme is described with reference to Fig. 1.Next, the algorithm structure of digital signature scheme is described with reference to Fig. 2.Next, with reference to Fig. 3, n is described all over public key verifications scheme.

Next, with reference to the example of Fig. 4 to 8 description algorithm structure relevant to 3 times public key verifications schemes.Next, with reference to the example of Fig. 5 to 17 description algorithm structure relevant to 5 times public key verifications schemes.Next, with reference to Figure 18 to 21 description handle and 3 times public key verifications schemes and 5 times relevant highly effective algorithms of public key verifications scheme, be revised as the method for the algorithm of digital signature scheme.

Next, with reference to parallel serial structure and the serial parallel organization of Figure 22 to 27 description and the 3 times public key verifications schemes highly effective algorithm relevant with 5 times public key verifications schemes.Next, with reference to Figure 28, describe and can realize according to the hardware configuration example of the messaging device of each algorithm of first embodiment of this technology and the second embodiment.Finally, by the summary of the operation beneficial effect of briefly describing the technical spirit of the present embodiment and obtaining from technical spirit.

(chapters and sections in detail)

1. introduce

1-1: the algorithm of public key verifications scheme

1-2: the algorithm of digital signature scheme

1-3:N is all over the algorithm of public key verifications scheme

2. the algorithm structure relevant to 3 times public key verifications schemes

2-1: the example of special algorithm structure

2-2: the highly effective algorithm based on secondary multinomial

2-2-1: basic structure

2-2-2: Parallel Algorithm

2-3: the highly effective algorithm based on high-order multinomial (scheme #1)

2-3-1: basic structure

2-3-2: Parallel Algorithm

3. the algorithm structure relevant to 5 times public key verifications schemes

3-1: the example of special algorithm structure

3-2: the highly effective algorithm based on secondary multinomial

3-2-1: basic structure

3-2-2: Parallel Algorithm

3-3: the highly effective algorithm based on high-order multinomial (the first embodiment)

3-3-1: basic structure

3-3-2: Parallel Algorithm

3-4: the highly effective algorithm based on high-order multinomial (the second embodiment)

3-4-1: basic structure

3-4-2: Parallel Algorithm (configuration example 1)

3-4-3: Parallel Algorithm (configuration example 2: high efficiency)

3-4-4: Parallel Algorithm (configuration example 2: more high efficiency)

4: the modification of digital signature scheme

4-1: be digital signature scheme 3 times public key verifications scheme modifyings

4-1-1: Digital Signature Algorithm (configuration example 1)

4-1-2: Digital Signature Algorithm (configuration example 2: high efficiency)

4-2: be digital signature scheme 5 times public key verifications scheme modifyings

4-2-1: Digital Signature Algorithm (configuration example 1)

4-2-2: Digital Signature Algorithm (configuration example 2: high efficiency)

5: mixed type algorithm

5-1: the mixed type algorithm relevant to 3 times public key verifications schemes

5-1-1: parallel serial algorithm

5-1-2: serial parallel algorithm

5-2: the mixed type algorithm relevant to 5 times public key verifications schemes

5-2-1: parallel serial algorithm (configuration example #1)

5-2-2: parallel serial algorithm (configuration example #2)

5-2-3: serial parallel algorithm (configuration example #1)

5-2-4: serial parallel algorithm (configuration example #2)

6: supplement

6-1: the method that system parameters is set

6-2: to irregularly cross-examining the method for making response

6-2-1: certifier's response method

6-2-2: verification person's response method

7: the example of hardware configuration

8: sum up

<1. introduce >

The embodiment here relates to a kind of public key verifications scheme and the digital signature scheme of its fail safe based on separating the difficulty of multistage polynary simultaneous equations that make.Yet the embodiment is here different from the method such as the correlation technique of HFE digital signature scheme, and relate to public key verifications scheme and the digital signature scheme of the multistage polynary simultaneous equations of the mode (trapdoor) that a kind of use lacks Efficient Solution.First, by the algorithm of the algorithm of short summary public key verifications scheme, digital signature scheme and n time public key verifications scheme.

[1-1: the algorithm of public key verifications scheme]

First, the general introduction of the algorithm of public key verifications scheme is described with reference to Fig. 1.Fig. 1 is for describing the explanation diagram of the algorithm structure of public key verifications scheme.

When a people (certifier) makes another person (verification person) believe that she is certifier oneself by use public-key pk and privacy key sk, checking uses public-key.For example, make verification person B know the PKI pk of certifier A _a.On the other hand, the privacy key sk of certifier A _aby certifier A, managed in confidence.According to public key verifications scheme, know and PKI pk _acorresponding privacy key sk _apeople be regarded as certifier A oneself.

In order to make the certifier A verification setting that uses public-key prove that to verification person B she is certifier A oneself, certifier A through interaction protocol to verification person B provide indication she know and PKI pk _acorresponding privacy key sk _aevidence.Indication certifier A knows privacy key sk _aevidence be provided for subsequently verification person B, and in the situation that verification person B can confirm this evidence, the validity of certifier A (certifier A is the fact of herself) is proved to be.

Yet the condition that public key verifications setting need to be is below to guarantee safety.

First condition is " reduce as far as possible by the adulterator without privacy key sk and when carrying out interaction protocol, set up the possibility of forging ".Meet this first condition and be called as " viability ".In other words, viability means: " adulterator without privacy key sk cannot forge in the term of execution foundation of interaction protocol with the possibility of can not ignore ".Second condition is: " even if carry out interaction protocol, about the privacy key sk of certifier A _ainformation also revealed to verification person B ".Meet this second condition and be called as " zero knowledge ".

Carry out safely public key verifications and relate to the interaction protocol that use had not only shown viability but also shown zero knowledge.If suppose to use the interaction protocol that lacks viability and zero knowledge, carry out proof procedure, will there is the possibility of certain mistake verification and the possibility that certain key information is revealed, therefore,, even if proof procedure self is successfully completed, also cannot prove certifier's validity.Therefore, how to guarantee that the viability of session protocol and the problem of zero knowledge are very important.

(model)

In the model of public key verifications scheme, there are two entities, i.e. certifier and verification person, as shown in fig. 1.Certifier produces unique one group of PKI pk and privacy key sk for certifier by using key to produce algorithm Gen.Subsequently, the one group privacy key sk of certifier by using that key produces that algorithm Gen produces and PKI pk and verification person carry out interaction protocol.Now, certifier is by using certifier's algorithm P to carry out interaction protocol.As mentioned above, in interaction protocol, certifier is by using certifier's algorithm P to prove that to verification person she has privacy key sk.

On the other hand, verification person is by using verification person's algorithm V to carry out interaction protocol, and verifies certifier and whether have the privacy key corresponding with the published PKI of this certifier.That is to say, verification person verifies the entity whether certifier has the privacy key corresponding with PKI.As mentioned above, the model of public key verifications scheme consists of two entities (that is, certifier and verification person) and three kinds of algorithms (that is, key produces algorithm Gen, certifier's algorithm P and verification person's algorithm V).

In addition, use in the following description wording " certifier " and " verification person ", but these wording presentation-entity strictly.Therefore, carry out key produce algorithm Gen and certifier's algorithm P to as if the messaging device corresponding with entity " certifier ".Similarly, carry out verification person's algorithm V to as if messaging device.The hardware configuration of these messaging devices for example as shown in Figure 28.That is to say, key produce algorithm Gen, certifier's algorithm P and verification person's algorithm V by CPU 902 program based on being recorded on ROM 904, RAM 906, memory cell 920, removable recording medium 928 etc. carry out.

(key produces algorithm Gen)

Key produces algorithm Gen and is used by certifier.It is the algorithm for generation of unique one group of PKI pk and privacy key sk for certifier that key produces algorithm Gen.The PKI pk that is produced algorithm Gen generation by key is disclosed.In addition, disclosed PKI pk is used by verification person.On the other hand, the privacy key sk being produced by key generation algorithm Gen is managed in confidence by certifier.The privacy key sk being managed in confidence by certifier is used to prove that to verification person certifier has the privacy key sk corresponding with PKI pk.In form, key produces algorithm Gen and is represented as following formula (1) as algorithm, and this algorithm adopts security parameter 1 λ (λ be 0 or larger integer) as inputting and export privacy key sk and PKI pk.

[mathematic(al) representation 1]

(sk，pk)←Gen(1 ^λ)…(1)

(certifier's algorithm P)

Certifier's algorithm P is used by certifier.Certifier's algorithm P is for proving that to verification person certifier has the algorithm of the privacy key sk corresponding with PKI pk.In other words, certifier's algorithm P adopts PKI pk and privacy key sk as the algorithm of inputting and carry out interaction protocol.

(verification person's algorithm V)

Verification person's algorithm V is used by verification person.Whether verification person's algorithm V has the algorithm of the privacy key sk corresponding with PKI pk session protocol Intermediate Checks certifier.Verification person's algorithm V accepts PKI pk as input and according to the algorithm of the execution result output 0 or 1 (1) of session protocol.Now, verification person judges that certifier is invalid in the situation that verification person's algorithm V exports 0, and judges that certifier is effective in the situation that verification person's algorithm V exports 1.In form, verification person's algorithm V is represented as following formula (2).

[mathematic(al) representation 2]

0/1←V(pk)…(2)

As mentioned above, realize significant public key verifications scheme and relate to two conditions that make interaction protocol meet viability and zero knowledge.Yet, prove that certifier has privacy key sk and relates to: certifier carries out the process that depends on privacy key sk, and after verification person's advise fate, the content of verification person based on notice carried out and verified.Execution depends on that the process of privacy key sk is to guarantee viability.Meanwhile, about the information of privacy key sk, should do not revealed to verification person.For this reason, design dexterously above key generation algorithm Gen, certifier's algorithm P and verification person's algorithm V to meet these requirements.

Therefore aforementioned content has summed up the algorithm in public key verifications scheme.

[1-2: the algorithm of digital signature scheme]

Next, with reference to Fig. 2, sum up the algorithm of digital signature scheme.Fig. 2 is the explanation diagram of summing up the algorithm of digital signature scheme.

Different from paper document, cannot with physics mode, to digitized data, sign or seal be appended to digitized data.For this reason, the founder who proves digitized data relates to producing and is similar to the electronics setting of with physics mode, paper document being signed or seal being appended to the effect of paper document.This set is digital signature.Digital signature represents such setting: make data-oriented associated with the signed data that only founder of data knows, signed data is offered to recipient, and hold and verify this signed data recipient.

(model)

As shown in Figure 2, in the model of digital signature scheme, there are two identity of signer and verification person.In addition, the model of digital signature scheme comprises three kinds of algorithms: key produces algorithm Gen, signature produces algorithm Sig and signature is verified algorithm Ver.

Signer is used key to produce algorithm Gen and produces unique one group of signature key sk and verification key pk for signer.Signer is also used signature to produce algorithm Sig and produces digital signature q to append to message M.In other words, signer is digital signature to be appended to the entity of message M.Meanwhile, verification person uses signature to verify algorithm Ver and verifies the digital signature that appends to message M.In other words, verification person is whether the founder of verification digital signature q message M for confirmation is the entity of signer.

Although it should be noted that and use in the following description term " signer " and " verification person ", the final presentation-entity of these terms.Therefore, carrying out key generation algorithm Gen is the messaging device corresponding with " signer " entity with the main body that signature produces algorithm Sig.Similarly, the main body of execution signature verification algorithm Ver is messaging device.The hardware configuration of these messaging devices for example as shown in Figure 28.In other words, key produce algorithm Gen, signature produce algorithm Sig and signature verify algorithm Ver by the device such as CPU 902 program based on being recorded in such as on ROM 904, RAM 906, memory cell 920 or removable recording medium 928 carry out.

(key produces algorithm Gen)

Key produces algorithm Gen and is used by signer.Key produces algorithm Gen and produces unique one group of signature key sk and the algorithm of verifying key pk for signer.The verification key pk that is produced algorithm Gen generation by key is disclosed.Meanwhile, signer is maintained secrecy the signature key sk that is produced algorithm Gen generation by key.Then, signature key sk is used to produce digital signature q to append to message M.For example, key produces algorithm Gen and accepts security parameter 1p (wherein p is equal to or greater than 0 integer) as inputting and export signature key sk and verifying key pk.In this case, key produces algorithm Gen and can be represented as in form formula (3) below:

[mathematic(al) representation 3]

(sk，pk)←Gen(1 ^λ)

…(3)

(signature produces algorithm Sig)

Signature produces algorithm Sig and is used by signer.It is the algorithm that produces the digital signature q that appends to message M that signature produces algorithm Sig.Signature produces algorithm Sig and accepts signature key sk and message M as the algorithm of inputting and export digital signature q.Signature produces algorithm Sig can be represented as formula (4) below in form:

[mathematic(al) representation 4]

σ←Sig(sk，M)

…(4)

(signature is verified algorithm Ver)

Signature is verified algorithm Ver and is used by verification person.It is whether verification digital signature q is the algorithm of the significant digits signature of message M that signature is verified algorithm Ver.Signature is verified algorithm Ver and is accepted verification key pk, the message M of signer and digital signature q as the algorithm of inputting and export 0 or 1 (1).Signature is verified algorithm Ver can be represented as formula (5) below in form.In this point, verification person verifies at signature that the situation (verifying the situation of key pk refuse information M and digital signature q) of algorithm Ver output 0 is lower judges that digital signature q is invalid, and at signature, verifies that the situation (verifying the situation that key pk accepts message M and digital signature q) of algorithm Ver output 1 is lower judges that digital signature q is effective.

[mathematic(al) representation 5]

0/1←Ver(pk，M，σ)

…(5)

Therefore aforementioned content has summed up the algorithm in digital signature scheme.

[1-3:N is all over public key verifications scheme]

Next, with reference to Fig. 3, n is described all over public key verifications scheme.Fig. 3 means that n is all over the explanation diagram of public key verifications scheme.

As mentioned above, public key verifications scheme is to verification person, to prove that certifier has the proof scheme of the privacy key sk corresponding with PKI pk during interaction protocol.In addition, interaction protocol must meet two conditions of viability and zero knowledge.For this reason, as shown in Figure 3, during interaction protocol, certifier and verification person be n exchange message when carrying out each processing.

The in the situation that of n time public key verifications scheme, certifier uses certifier's algorithm P to carry out and processes (operation #1), and information T ₁send to verification person.Subsequently, verification person uses verification person's algorithm V to carry out and processes (operation #2), and information T ₂send to certifier.For k=3, to n, carry out continuously this execution and processing and information T _ktransmission (operation #k), and last execution processed (operation #n+1).Send and receive information for n time by this way and be called as thus " n time " public key verifications scheme.

Therefore aforementioned content has described n all over public key verifications scheme.

<2. the algorithm structure > relevant to 3 times public key verifications schemes

Below, will the algorithm relevant to 3 times public key verifications schemes be described.It should be noted that in the following description, 3 times public key verifications scheme also can be called as " 3 times schemes " in some cases.

[example of 2-1. special algorithm structure]

First, with reference to the example of Fig. 4 introduction special algorithm structure relevant to 3 times schemes.Fig. 4 is for describing the explanation diagram of the special algorithm structure relevant to 3 times schemes.The algorithm of 3 times schemes produces algorithm Gen, certifier's algorithm P by key and verification person's algorithm V forms.Below, each algorithm structure will be described.

(key produces algorithm Gen)

Key produces algorithm Gen and is created in m the multinomial f defining in ring k ₁(x ₁..., x _n) ..., f _m(x ₁..., x _n) and as set K ⁿthe vectorial s=(s of element ₁..., s _n).Next, key produces algorithm Gen and calculates y=(y ₁..., y _m) ← (f ₁(s) ..., f _m(s)).In addition, key produces algorithm Gen the (f in PKI pk is set ₁(x ₁..., x _n) ..., f _m(x ₁..., x _n), y) and s is set as privacy key.Below, vector (x ₁..., x _n) be represented as x, and one group of multinomial (f ₁(x) ..., f _m(x)) be represented as F (x).

(certifier's algorithm P, verification person's algorithm V)

Next, with reference to Fig. 4, be described in the process of being carried out by certifier's algorithm P during interaction protocol and the process of being carried out by verification person's algorithm V.

During aforementioned interaction protocol, certifier does not represent " herself knowing the s that meets y=F (s) " the information leakage about privacy key s to verification person and to verification person.On the other hand, verification person verifies certifier and whether knows the s that meets y=F (s).Suppose that PKI pk is disclosed to verification person.In addition, suppose that privacy key s is managed in confidence by certifier.Below, with reference to the flow chart shown in Fig. 4, be described.

Operation #1:

First, certifier's algorithm P selects any digital seed ₀.Subsequently, certifier's algorithm P passes through digital seed ₀being applied to pseudorandom number generator PRNG produces as set K ⁿthe vectorial r of element ₀with digital seed ₁.That is to say, certifier's algorithm P calculates (r ₀, seed ₁) <-PRNG (seed ₀).Subsequently, certifier's algorithm P passes through digital seed ₁be applied to pseudorandom number generator PRNG and produce multinomial F ₁(x)=(f ₁₁(x) ..., f _1m(x)).That is to say, certifier's algorithm P calculates F ₁<-PRNG (seed ₁).

Operation #1 (continuation):

Subsequently, certifier's algorithm P calculates r ₁<-s-r ₀.This calculating is equal to and utilizes vectorial r ₀shelter privacy key s.In addition, certifier's algorithm P calculates F ₂(x) <-F (x+r ₀)+F ₁(x).This calculating is equal to and utilizes multinomial F ₁(x) shelter the multinomial F (x+r of x ₀).

Operation #1 (continuation):

Subsequently, certifier's algorithm P produces r ₁and F ₁(r ₁) cryptographic Hash (hash value) c ₀.That is to say, certifier's algorithm P calculates c ₀<-H (F ₁(r ₁), r ₁).In addition, certifier's algorithm P produces digital seed ₁cryptographic Hash c ₁.That is to say, certifier's algorithm P calculates c ₁<-H (seed ₁).In addition, certifier's algorithm P produces multinomial F ₂cryptographic Hash c ₂.That is to say, certifier's algorithm P calculates c ₂<-H (F ₂).Cryptographic Hash (c ₀, c ₁, c ₂) be used as message and send to verification person's algorithm V.Now, it should be noted, about the information of s, about r ₀information and about r ₁information revealed to verification person.

Operation #2:

Receiving message (c ₀, c ₁, c ₂) time, verification person's algorithm V is from which kind of verification pattern of choice for use among three kinds of verification patterns.For example, verification person's algorithm V can be from representing that three numerical value of verification pattern { select numerical value, and the numerical value of selection is set in cross-examining Ch among 0,1,2}.This cross-examinees that Ch is sent to certifier's algorithm P.

Operation #3:

Receiving while cross-examining Ch, certifier's algorithm P produces in response to the Ch that cross-examinees receiving the response Rsp that sends to verification person's algorithm V.The in the situation that of Ch=0, certifier's algorithm P produces response Rsp=seed ₀.The in the situation that of Ch=1, certifier's algorithm P produces response Rsp=(seed ₁, r ₁).The in the situation that of Ch=2, certifier's algorithm P produces response Rsp=(F ₂, r ₁).The response Rsp producing in operation #3 is sent to verification person's algorithm V.Now, it should be noted, the in the situation that of Ch=0, about r ₁information revealed to verification person, and the in the situation that of Ch=1 or 2, about r ₀information revealed to verification person.

Operation #4:

When receiving response Rsp, verification person's algorithm V is used the response Rsp receiving to carry out verification process below.

The in the situation that of Ch=0, verification person's algorithm V calculates (r ₀, seed ₁) <-PRNG (Rsp).In addition, verification person's algorithm V calculates F ₁<-PRNG (seed ₁).Then, verification person's algorithm V verifies c ₁=H (seed ₁) equation whether set up.In addition, verification person's algorithm V verifies c ₂=H (F (x+r ₀)+F ₁(x) whether equation) is set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The in the situation that of Ch=1, verification person's algorithm V arranges (seed ₁, r ₁) <-Rsp.In addition, verification person's algorithm V calculates F ₁<-PRNG (seed ₁).Then, verification person's algorithm V verifies c ₀=H (F ₁(r ₁), r ₁) equation whether set up.In addition, verification person's algorithm V verifies c ₁=H (seed ₁) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The in the situation that of Ch=2, verification person's algorithm V arranges (F ₂, r ₁) <-Rsp.Then, verification person's algorithm V verifies c ₀=H (F ₂(r ₁)-y, r ₁) equation whether set up.In addition, verification person's algorithm V verifies c ₂=H (F ₂) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

(viability)

Here, the description of the viability of the algorithm relevant to 3 times schemes will be supplemented.Logic based on such is guaranteed the viability of the algorithm relevant to 3 times schemes: when certifier's algorithm P is for all Ch=0 of cross-examining that can be selected by verification person's algorithm V, 1 and 2 while returning to suitable response Rsp, can calculate the formula (6) that meets below and the F of formula (7) ₂, F ₁, r ₀and r ₁.

[mathematic(al) representation 6]

F ₂(x)＝F(x+r ₀)+F ₁(x)

…(6)

F ₂(r ₁)-y＝F ₁(r ₁)

…(7)

By guaranteeing aforementioned viability, as long as the problem of the multistage polynary simultaneous equations of unresolved solution, just can guarantee to realize the fact having higher than the successful forgery of 2/3 possibility.That is to say, for all Ch=0 that cross-examine to verification person suitably, 1 and 2 make response, and adulterator must calculate the F that meets aforementioned formula (6) and formula (7) ₂, F ₁, r ₀and r ₁.In other words, adulterator must calculate the s that meets F (s)=y.Yet, the cross-examine Ch=0 of existentially forgeable person to verification person still, two higher possibilities of making appropriate response of cross-examining among 1,2.Therefore the successful possibility that, mistake is verified becomes 2/3.In addition, by aforementioned interaction protocol is carried out to abundant number of times repeatedly, the possibility that success is forged diminishes to ignoring.

(hash function H)

Here, the description of hash function H will be supplemented.In aforementioned algorithm, use hash function H to calculate c ₀, c ₁, c ₂deng.Yet alternative use in hash function H promised to undertake function COM.Promise to undertake that function COM is such function: in this function, character string S and random number ρ are the factors.The example of promising to undertake function comprises the disclosed scheme in international conference CRYPTO 1996 by Shai Halevi and Silvio Micali.

For example, will consider to use promise function COM to calculate c ₀, c ₁and c ₂situation.In this case, calculating c ₀, c ₁and c ₂before, prepare random number ρ ₀, ρ ₁and ρ ₂, and by be alternative in application hash function H () apply promise function COM (, ρ ₀), COM (, ρ ₁) and COM (, ρ ₂) produce c ₀, c ₁and c ₂.In addition, verification person produces c _irequired ρ _ibe set to be included in response Rsp and be sent out.

More than introduced the example of the special algorithm structure relevant to 3 times schemes.

[2-2: the highly effective algorithm based on secondary multinomial]

Next, description is made to the algorithm efficient method relevant to 3 times schemes.Here, one group of quadratic polynomial (f will be described ₁(x) ..., f _m(x)) be used as the situation of multinomial F.Here, suppose quadratic polynomial f _i(x) be represented as formula (8) below.

[mathematic(al) representation 7]

$f_i(x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_n)=\underset{j,k}{\mathrm{\&Sigma;}}{a}_{\mathrm{ijk}}{x}_j{x}_k+\underset{j}{\mathrm{\&Sigma;}}{b}_{\mathrm{ij}}{x}_j\&CenterDot;\&CenterDot;\&CenterDot;\left(8\right)$

In addition described one group of quadratic polynomial (f, ₁(x) ..., f _m(x)) can be represented as formula (9) below.Here, x=(x ₁..., x _n).A ₁..., A _mit is n * n matrix.In addition, b ₁..., b _min each be n * 1 vector.

[mathematic(al) representation 8]

$F\left(x\right)=\left(\begin{array}{c}{f}_1\left(x\right)\\ \&CenterDot;\\ \&CenterDot;\\ \&CenterDot;\\ f_m\left(x\right)\end{array}\right)=\left(\begin{array}{c}{x}^T{A}_{1}x+b_1^{T}x\\ \&CenterDot;\\ \&CenterDot;\\ \&CenterDot;\\ x^T{A}_{m}x+b_m^{T}x\end{array}\right)\&CenterDot;\&CenterDot;\&CenterDot;\left(9\right)$

When using this expression formula, multinomial F can be represented as formula (10) and formula (11) below.From formula (12) below, can easily confirm to meet this expression formula.

[mathematic(al) representation 9]

F(x+y)＝F(x)+F(y)+G(x，y(

…(10)

$G(x,y)=\left(\begin{array}{c}{y}^T(A_1^T+A_1)x\\ \&CenterDot;\\ \&CenterDot;\\ \&CenterDot;\\ y^T(A_m^T+A_m)x\end{array}\right)\&CenterDot;\&CenterDot;\&CenterDot;\left(11\right)$

$f_l(x+y)={(x+y)}^T{A}_l(x+y)+b_l^T(x+y)$

$=x^T{A}_{l}x+x^T{A}_{l}y+y^T{A}_{l}x+y^T{A}_{l}y+b_l^{T}x+b_l^{T}y$

$=f_l\left(x\right)+f_l\left(y\right)+x^T{A}_{l}y+y^T{A}_{l}x$

$=f_l\left(x\right)+f_l\left(y\right)+x^T{\left(A_l^T\right)}^{T}y+y^T{A}_{l}x$

$=f_l\left(x\right)+f_l\left(y\right)+{\left(A_l^{T}x\right)}^{T}y+y^T{A}_{l}x$

$=f_l\left(x\right)+f_l\left(y\right)+y^T\left(A_l^{T}x\right)+y^T{A}_{l}x$

$=f_l\left(x\right)+f_l\left(y\right)+y^T(A_l^T+A_l)x\&CenterDot;\&CenterDot;\&CenterDot;\left(12\right)$

When by this way F (x+y) being divided into, depend on the first of x, when depending on the second portion of y and not only having depended on x but also depended on the third part of y, it is bilinear that an item G (x, y) corresponding with third part becomes with respect to x and y.Use this character can realize the structure of highly effective algorithm.

For example, be used as set K ⁿthe vectorial t of element ₀with conduct set K ^mthe vectorial e of element ₀the multinomial F that is used for sheltering multinomial F (x+r) ₁(x) be expressed as F ₁(x)=G (x, t ₀)+e ₀.In this case, multinomial F (x+r ₀) and G (x) sum be represented as following formula (13).

Here, work as t ₁=r ₀+ t ₀and e ₁=F (r ₀)+e ₀time, multinomial F ₂(x)=F (x+r ₀)+F ₁(x) can be by conduct set K ⁿthe vectorial t of element ₁with conduct set K ^mthe vectorial e of element ₁represent.For this reason, when " F is set ₁(x)=G (x, t ₀)+e ₀" time, can be by using K ⁿin vector sum K ^min vector represent F ₁and F ₂, therefore, the size of data that signal post needs can significantly reduce.Specifically, can in the degree of several thousand to several ten thousand times, improve communication efficiency.

[mathematic(al) representation 10]

F(x+r ₀)+F ₁(x)

＝F(x)+F(r ₀)+G(x，r ₀)+G(x，t ₀)+e ₀

-F(x)+G(x，r ₀+t ₀)+F(r ₀)+e ₀

…(13)

By aforementioned modifications, not from F ₂(or F ₁) reveal about r ₀information.For example,, even when providing e ₁and t ₁(or e ₀and t ₀) time, as long as e ₀and t ₀(or e ₁and t ₁) be unknown, just do not know about r ₀information.Therefore, guaranteed zero knowledge.Below, with reference to Fig. 5 and 6, the highly effective algorithm relevant to 3 times schemes described.

(2-2-1: basic structure (Fig. 5))

First, the basic structure of the highly effective algorithm relevant to 3 times schemes described with reference to Fig. 5.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 5, certifier's algorithm P produces first at random as set K ⁿthe vectorial r of element ₀, t ₀with conduct set K ^mthe vectorial e of element ₀.Subsequently, certifier's algorithm P calculates r ₁<-s-r ₀.This calculating is equal to and utilizes vectorial r ₀shelter privacy key s.In addition, certifier's algorithm P calculates t ₁<-r ₀-t ₀.Subsequently, certifier's algorithm P calculates e ₁<-F (r ₀)-e ₀.

Operation #1 (continuation):

Subsequently, certifier's algorithm P calculates c ₀<-H (r ₁, G (t ₀, r ₁)+e ₀).Subsequently, certifier's algorithm P calculates c ₁<-H (t ₀, e ₀).Subsequently, certifier's algorithm P calculates c ₂<-H (t ₁, e ₁).Message (the c producing in operation #1 ₀, c ₁, c ₂) be sent to verification person's algorithm V.

Operation #2:

Receiving message (c ₀, c ₁, c ₂) time, verification person's algorithm V is from which kind of verification pattern of choice for use among three kinds of verification patterns.For example, verification person's algorithm V can be from representing that three numerical value of verification pattern { select numerical value, and the numerical value of selection is set in cross-examining Ch among 0,1,2}.This cross-examinees that Ch is sent to certifier's algorithm P.

Operation #3:

Receiving while cross-examining Ch, certifier's algorithm P produces in response to the Ch that cross-examinees receiving the response Rsp that sends to verification person's algorithm V.The in the situation that of Ch=0, certifier's algorithm P produces response Rsp=(r ₀, t ₁, e ₁).The in the situation that of Ch=1, certifier's algorithm P produces response Rsp=(r ₁, t ₀, e ₀).The in the situation that of Ch=2, certifier's algorithm P produces response Rsp=(r ₁, t ₁, e ₁).The response Rsp producing in operation #3 is sent to verification person's algorithm V.

Operation #4:

When receiving response Rsp, verification person's algorithm V is used the response Rsp receiving to carry out verification process below.

The in the situation that of Ch=0, verification person's algorithm V verifies c ₁=H (r ₀-t ₁, F (r ₀)-e ₁) equation whether set up.In addition, verification person's algorithm V verifies c ₂=H (t ₁, e ₁) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The in the situation that of Ch=1, verification person's algorithm V verifies c ₀=H (r ₁, G (t ₀, r ₁)+e ₀) equation whether set up.In addition, verification person's algorithm V verifies c ₁=H (t ₀, e ₀) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The in the situation that of Ch=2, verification person's algorithm V verifies c ₀=H (r ₁, y – F (r ₁) – G (t ₁, r ₁) – e ₁) equation whether set up.In addition, verification person's algorithm V verifies c ₂=H (t ₁, e ₁) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The example of the highly effective algorithm structure relevant to 3 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.

(2-2-2: Parallel Algorithm (Fig. 6))

Next, with reference to Fig. 6, the method that makes the Algorithm parallelization shown in Fig. 5 is described.Yet, by further describing of the structure of omission key generation algorithm Gen.

As mentioned above, applying above session protocol makes to make the possibility of successfully forging to remain on 2/3 or less.Therefore, carrying out session protocol for twice makes to make the possibility of successfully forging to remain on (2/3) ²or less.In addition, if N time is carried out session protocol, the possibility that success is forged becomes (2/3) ⁿor less, and if N is set to enough large numeral, (for example, N=140), the possibility that success is forged diminishes to ignoring.

For example, the method for repeatedly carrying out session protocol that can expect comprises: serial approach, sequentially repeatedly repetition message, the exchange of cross-examining and responding; And parallel method, in single exchange, exchange a plurality of message, cross-examine and respond.Here, will algorithm (below, being called Parallel Algorithm) that carry out concurrently the above interaction protocol relevant with 3 times schemes be described now.

Operation #1:

First certifier's algorithm P arrives N execution process (1) below to (6) for i=1.

Process (1): certifier's algorithm P produces at random as set K ⁿthe vectorial r of element _0i, t _0iwith conduct set K ^mthe vectorial e of element _0i.

Process (2): certifier's algorithm P calculates r _1i<-s-r _0i.This calculating is equal to and utilizes vectorial r _0ishelter privacy key s.In addition, certifier's algorithm P calculates t _1i<-r _0i+ t _0i.

Process (3): certifier's algorithm P calculates e _1i<-F (r _0i)-e _0i.

Process (4): certifier's algorithm P calculates c _0i<-H (r _1i, G (r _1i, t _0i)+e _0i).

Process (5): certifier's algorithm P calculates c _1i<-H (t _0i, e _0i).

Process (6): certifier's algorithm P calculates c _2i<-H (t _1i, e _1i).

Operation #1 (continuation):

For i=1, to N, carrying out above process (1) to (6) afterwards, certifier's algorithm P calculates Cmt<-H (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N).The cryptographic Hash Cmt producing in operation #1 is sent to verification person's algorithm V.By this way, message (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N) before being sent to verification person's algorithm V, be converted into cryptographic Hash, therefore can realize reducing of the traffic.

Operation #2:

When receiving cryptographic Hash Cmt, for i=1, to each in N, verification person's algorithm V is from which kind of verification pattern of choice for use among three kinds of verification patterns.For example, verification person's algorithm V can { select numerical value, and cross-examine Ch from representing three numerical value of verification pattern to each in N for i=1 among 0,1,2} _ithe middle numerical value that selection is set.Cross-examine Ch ₁..., Ch _nbe sent to certifier's algorithm P.

Operation #3:

Cross-examine Ch receiving ₁..., Ch _ntime, certifier's algorithm P is in response to the Ch that cross-examinees receiving ₁..., Ch _nin each generation send to the response Rsp of verification person's algorithm V ₁..., Rsp _n.At Ch _iin=0 situation, certifier's algorithm P produces response Rsp _i=(r _0i, t _1i, e _1i, c _0i).At Ch _iin=1 situation, certifier's algorithm P produces response Rsp _i=(r _1i, t _0i, e _0i, c _2i).At Ch _iin=2 situation, certifier's algorithm P produces response Rsp _i=(r _1i, t _1i, e _1i, c _1i).

The response Rsp producing in operation #3 ₁..., Rsp _nbe sent to verification person's algorithm V.

Operation #4:

Receiving response Rsp ₁..., Rsp _ntime, verification person's algorithm V is used the response Rsp receiving ₁..., Rsp _nfor i=1, arrive N execution process (1) below to (3).Here, verification person's algorithm V is for Ch _i=0 situation implementation (1), at Ch _iimplementation in=1 situation (2), and at Ch _iimplementation in=2 situation (3).

Process (1): at Ch _iin=0 situation, verification person's algorithm V is from Rsp _iretrieval (r _0i, t _1i, e _1i, c _0i).Subsequently, verification person's algorithm V calculates c _1i=H (r _0i-t _1i, F (r _0i)-e _1i).In addition, verification person's algorithm V calculates c _2i=H (t _1i, e _1i).Verification person's algorithm V stores (c subsequently _0i, c _1i, c _2i).

Process (2): at Ch _iin=1 situation, verification person's algorithm V is from Rsp _iretrieval (r _1i, t _0i, e _0i, c _2i).Subsequently, verification person's algorithm V calculates c _0i=H (r _1i, G (r _1i, t _0i)+e _0i).In addition, verification person's algorithm V calculates c _1i=H (t _0i, e _0i).Verification person's algorithm V stores (c subsequently _0i, c _1i, c _2i).

Process (3): at Ch _iin=2 situation, verification person's algorithm V is from Rsp _iretrieval (r _1i, t _1i, e _1i, c _1i).Subsequently, verification person's algorithm V calculates c _0i=H (r _1i, y – F (r _1i) – G (t _1i, r _1i) – e _1i).In addition, verification person's algorithm V calculates c _2i=H (t _1i, e _1i).Verification person's algorithm V stores (c subsequently _0i, c _1i, c _2i).

For i=1, to N, carrying out above process (1) to (3) afterwards, verification person's algorithm V verifies Cmt=H (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N) equation whether set up.Verification person's algorithm V is proved to be successful with indication verifying output valve 1 in successful situation, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The example of the structure of the parallelization highly effective algorithm relevant to 3 times schemes has more than been described.In addition, the Parallel Algorithm shown in Fig. 6 comprises such design: message was converted into cryptographic Hash before being sent out.This design improves communication efficiency.Similarly, can revise structure, so that cross-examine Ch ₁..., Ch _nor response Rsp ₁..., Rsp _nbefore being sent out, be converted into cryptographic Hash.Revise by this way the further raising that structure can realize the communication efficiency of expection.

[2-3: the highly effective algorithm based on high-order multinomial (scheme #1)]

Aforementioned highly effective algorithm is used such character: by utilizing one group of quadratic polynomial f of definition in aforementioned formula (8) _irepresent multinomial F, in aforementioned formula (10), the multinomial G of definition becomes bilinearity.Yet, when multinomial G is when adding homomorphism, even when multinomial G is not bilinearity, also can construct equally highly effective algorithm.

(using the structure of the highly effective algorithm of quadratic polynomial fi)

When multinomial G is when adding homomorphism, use variable r ₀, r ₁, t ₀and e ₀foundation formula (14) is below to the relation of formula (16).In addition, formula (14) is below by privacy key s is divided into s=r ₀+ r ₁and the formula that launches PKI F (s) and obtain.Formula below (14) can be divided into and can utilize (r to formula (16) ₀, t ₁, e ₁) (the r of first that reproduces ₁, t ₀, e ₀), can utilize (r ₁, t ₀, e ₀) second portion (r that reproduces ₁, t ₁, e ₁) and can utilize (r ₁, t ₁, e ₁) third part reproduced.

For example, included " r in formula (15) below ₀, t ₁" and formula below (16) in included " F (r ₀), e ₁" be first.In addition, included " e in formula (14) below ₀, G (t ₀, r ₁) ", included " t in formula below (15) ₀" and formula below (16) in included " e ₀" be second portion.In addition, included " e in formula (14) below ₁, F (r ₁), G (t ₁, r ₁) " be third part.In other words, formula below (14) comprises second portion and third part, and formula below (15) comprises first and second portion, and formula below (16) comprises first and second portion.

As mentioned above, formula (14) below to each in formula (16) comprises two kinds of parts.In addition, from the definition of privacy key s and below formula (14) to the relation between formula (16), even if guarantee when using (r ₀, t ₁, e ₁), (r ₁, t ₀, e ₀) and (r ₁, t ₁, e ₁) in any one time also can not obtain privacy key s.Use this character can for example realize the structure of the highly effective algorithm relevant to 3 times schemes shown in Fig. 5.

[mathematic(al) representation 11]

F(r ₀+r ₁)＝e ₀+e ₁+F(r ₁)+G(t ₀，r ₁)+G(t ₁，r ₁)

…(14)

r ₀＝t ₀+t ₁

…(15)

F(r ₀)＝e ₀+e ₁

…(16)

(use cubic polynomial f _lthe structure of highly effective algorithm)

Quadratic polynomial f above will be passed through to launch _ithe description of situation the cubic polynomial f that uses the ring R that is expressed as formula (17) is below discussed _lthe method of structure highly effective algorithm.Utilize one group of cubic polynomial f _lmultinomial F=(the f representing ₁..., f _m) meet the relation of formula (18) below.Here, G _x(x, y) represents the linear term of x.In addition, G _y(x, y) represents the linear term of y.When representing G _x=(g _x1..., g _xm) and G _y=(g _y1..., g _ym) time, g _xland g _ylcan be respectively as formula (19) and the same expansion in formula (20) below.Here, due to for one of x and y, g _xlsecond, right side be also linear, so second, right side can comprise g _yl.

[mathematic(al) representation 12]

$f_l(x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_n)=\underset{i,j,k}{\mathrm{\&Sigma;}}{a}_{\mathrm{lijk}}{x}_i{x}_j{x}_k+\underset{i,j}{\mathrm{\&Sigma;}}{b}_{\mathrm{lij}}{x}_i{x}_j+\underset{i}{\mathrm{\&Sigma;}}{c}_{\mathrm{li}}{x}_i\&CenterDot;\&CenterDot;\&CenterDot;\left(17\right)$

F(x+y)-F(x)-F(y)＝G _x(x，y)+G _y(x，y)

…(18)

$g_{\mathrm{xl}}(x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_n,{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA0000463674260000021.png,HDA0000463674260000031.png"\; state="\{\{state\}\}">y</figure-callout>}}_1,\&CenterDot;\&CenterDot;\&CenterDot;,y_n)$

$=\underset{i,j,k}{\mathrm{\&Sigma;}}(a_{\mathrm{lijk}}+a_{\mathrm{likj}}+a_{\mathrm{lkji}})y_i{y}_j{x}_k+\underset{i,j}{\mathrm{\&Sigma;}}(b_{\mathrm{lij}}+b_{\mathrm{lji}})x_i{y}_j\&CenterDot;\&CenterDot;\&CenterDot;\left(19\right)$

$g_{\mathrm{yl}}(x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_n,{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA0000463674260000021.png,HDA0000463674260000031.png"\; state="\{\{state\}\}">y</figure-callout>}}_1,\&CenterDot;\&CenterDot;\&CenterDot;,y_n)=\underset{i,j,k}{\mathrm{\&Sigma;}}(a_{\mathrm{lijk}}+a_{\mathrm{likj}}+a_{\mathrm{lkji}})x_i{x}_j{y}_k\&CenterDot;\&CenterDot;\&CenterDot;\left(20\right)$

From formula (19) and formula (20) above, can understand, for x and y, G _x(x, y) and G _y(x, y) becomes and adds homomorphism.Therefore, use this character, as used quadratic polynomial f _ithe same in the method for structure highly effective algorithm, by introducing new variables r ₀, r ₁, t ₀, u ₀and e ₀divide PKI F (s).

Due to multinomial G _xand G _yfor adding homomorphism, so use variable r ₀, r ₁, t ₀, u ₀and e ₀foundation formula (21) is below to the relation between formula (24).Formula below (21) can be divided into and can utilize (r to formula (24) ₀, t ₀, u ₀, e ₀) (the r of first that reproduces ₁, t ₀, e ₀), can utilize (r ₀, u ₁, e ₁) reproduce second portion, can utilize (r ₁, t ₀, e ₀) third part reproduced and can utilize (r ₁, t ₁, u ₁, e ₁) the 4th part reproduced.

For example, included " r in formula (22) below ₀, t ₀", included " u in formula below (23) ₀" and formula below (24) in included " F (r ₀), G _y(r ₀, u ₀), e ₀" be first.In addition, included " G in formula (24) below _y(r ₀, u ₁), e ₁" be second portion.In addition, included " e in formula (21) below ₀, G _x(r ₀, r ₁) " be third part.In addition, included " e in formula (21) below ₁, F (r ₁), G _x(t ₁, r ₁) ", included " t in formula below (22) ₁" and formula below (23) in included " u ₁" be the 4th part.

In other words, formula below (21) comprises third part and the 4th part, formula below (22) and formula below (23) comprise first and the 4th part, and formula below (24) comprises first and second portion.By this way, formula (21) below to each in formula (24) comprises two kinds of parts.

From the definition of privacy key s and below formula (21) to the relation between formula (24), even if guarantee when using (r ₀, t ₀, u ₀, e ₀), (r ₀, u ₁, e ₁), (r ₁, t ₀, e ₀) and (r ₁, t ₁, u ₁, e ₁) in any one time also can not obtain privacy key s.Use this character can for example realize the cubic polynomial f that uses ring R _lthe highly effective algorithm that structure is relevant with 3 times schemes (expansion algorithm below).

[mathematic(al) representation 13]

F(r ₀+r ₁)＝e ₀+e ₁+F(r ₁)+G _x(t ₀，r ₁)+G _x(t ₁，r ₁)

…(21)

r ₀＝t ₀+t ₁

…(22)

r ₁＝u ₀+u ₁

…(23)

F(r ₀)+G _y(r ₀，u ₁)+G _y(r ₀，u ₀)＝e ₀+e ₁

…(24)

Below, will the example of particular extension algorithm structure be described.Two basic points about the design of expansion algorithm are: formula below (25) is sent to one of verification person and first's to the four parts to the message representing in formula (27) and is verified.Yet, only, in this is verified, possibly cannot verify " r included in third part ₁" with the 4th part in included " r ₁" identical.Similarly, also possibly cannot verify " r included in first ₀" with second portion in included " r ₀" included " t in identical and first ₀, e ₀" with third part in included " t ₀, e ₀" identical.In addition, also possibly cannot verify " u included in second portion ₁, e ₁" with the 4th part in included " u ₁, e ₁" identical.Therefore,, the configuration example that can realize this verification will be introduced.

[mathematic(al) representation 14]

c ₀＝H(G _x(t ₀，r ₁)+e ₀)

…(25)

c ₁＝H(t ₀，u ₀)

…(26)

c ₂＝H(e ₁-G _y(r ₀，u ₁))

…(27)

(2-3-1: basic structure (Fig. 7))

First, the basic structure of the expansion algorithm relevant to 3 times schemes described with reference to Fig. 7.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 7, certifier's algorithm P produces at random as set K ⁿthe vectorial r of element ₀, t ₀, u ₀with conduct set K ^mthe vectorial e of element ₀.Subsequently, certifier's algorithm P calculates r ₁<-s-r ₀.This calculating is equal to and utilizes vectorial r ₀shelter privacy key s.Subsequently, certifier's algorithm P calculates t ₁<-r ₀+ t ₀.Subsequently, certifier's algorithm P calculates u ₁<-r ₁+ u ₀.Subsequently, certifier's algorithm P calculates e ₁<-F (r ₀)-e ₀.

Operation #1 (continuation):

Subsequently, certifier's algorithm P calculates c ₀<-H (r ₁, G _x(t ₀, r ₁)+e ₀).Subsequently, certifier's algorithm P calculates c ₁<-H (r ₀-t ₀, u ₀).Subsequently, certifier's algorithm P calculates c ₂<-H (r ₀, e ₁-G _y(r ₀, u ₁)).Subsequently, certifier's algorithm P calculates c ₃<-H (t ₀, e ₀).Subsequently, certifier's algorithm P calculates c ₄<-H (u ₁, e ₁).Message (the c producing in operation #1 ₀, c ₁, c ₂, c ₃, c ₄) be sent to verification person's algorithm V.

Operation #2:

Receiving message (c ₀, c ₁, c ₂, c ₃, c ₄) time, verification person's algorithm V is from which kind of verification pattern of choice for use among four kinds of verification patterns.For example, verification person's algorithm V can be from representing that four numerical value of verification pattern { select numerical value, and the numerical value of selection is set in cross-examining Ch among 0,1,2,3}.This cross-examinees that Ch is sent to certifier's algorithm P.

Operation #3:

Receiving while cross-examining Ch, certifier's algorithm P produces in response to the Ch that cross-examinees of each reception the response Rsp that sends to verification person's algorithm V.The in the situation that of Ch=0, certifier's algorithm P produces response Rsp=(r ₀, t ₀, u ₀, e ₀).The in the situation that of Ch=1, certifier's algorithm P produces response Rsp=(r ₀, u ₁, e ₁).The in the situation that of Ch=2, certifier's algorithm P produces response Rsp=(r ₁, t ₀, e ₀).The in the situation that of Ch=3, certifier's algorithm P produces response Rsp=(r ₁, t ₁, u ₁, e ₁).The response Rsp producing in operation #3 is sent to verification person's algorithm V.

Operation #4:

When receiving response Rsp, verification person's algorithm V is used the response Rsp receiving to carry out verification process below.

The in the situation that of Ch=0, verification person's algorithm V verifies c ₁=H (r ₀-t ₀, u ₀) equation whether set up.Subsequently, verification person's algorithm V verifies c ₂=H (r ₀, F (r ₀)+G _y(r ₀, u ₀)-e ₀) equation whether set up.Subsequently, verification person's algorithm V verifies c ₃=H (t ₀, e ₀) equation whether set up.Verification person's algorithm V is proved to be successful with indication verifying all successfully output valve 1 in situation, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The in the situation that of Ch=1, verification person's algorithm V verifies c ₂=H (r ₀, e ₁-G _y(r ₀, u ₁)) equation whether set up.Subsequently, verification person's algorithm V verifies c ₄=H (u ₁, e ₁) equation whether set up.Verification person's algorithm V is proved to be successful with indication verifying all successfully output valve 1 in situation, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The in the situation that of Ch=2, verification person's algorithm V verifies c ₀=H (r ₁, e ₀-G _x(t ₀, r ₁)) equation whether set up.Subsequently, verification person's algorithm V verifies c ₃=H (t ₀, e ₀) equation whether set up.Verification person's algorithm V is proved to be successful with indication verifying all successfully output valve 1 in situation, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The in the situation that of Ch=3, verification person's algorithm V verifies c ₀=H (r ₁, y-F (r ₁)-e ₁-G _x(t ₁, r ₁)) equation whether set up.Subsequently, verification person's algorithm V verifies c ₁=H (t ₁, r ₁, u ₁) equation whether set up.Subsequently, verification person's algorithm V verifies c ₄=H (u ₁, e ₁) equation whether set up.Verification person's algorithm V is proved to be successful with indication verifying all successfully output valve 1 in situation, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The example of the expansion algorithm structure relevant to 3 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.In addition, use cubic polynomial can realize higher fail safe.

(2-3-2: Parallel Algorithm (Fig. 8))

Next, the method for the parallelization of the expansion algorithm relevant to 3 times schemes is described with reference to Fig. 8.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 8, certifier's algorithm P carries out process below for i=1 to N.First, certifier's algorithm P produces at random as set K ⁿthe vectorial r of element _0i, t _0i, u _0iwith conduct set K ^mthe vectorial e of element _0i.Subsequently, certifier's algorithm P calculates r _1i<-s-r _0i.This calculating is equal to and utilizes vectorial r _0ishelter privacy key s.Subsequently, certifier's algorithm P calculates t _1i<-r _0i-t _0i.Subsequently, certifier's algorithm P calculates u _1i<-r _1i-u _0i.Subsequently, certifier's algorithm P calculates e _1i<-F (r _0i)-e _0i.

Operation #1 (continuation):

Subsequently, certifier's algorithm P calculates c _0i<-H (r _1i, G _x(t _0i, r _1i)+e _0i).Subsequently, certifier's algorithm P calculates c _1i<-H (r _0i,-t _0i, u _0i).Subsequently, certifier's algorithm P calculates c _2i<-H (r _0i, e _1i-G _y(r _0i, u _1i)).Subsequently, certifier's algorithm P calculates c _3i<-H (t _0i, e _0i).Subsequently, certifier's algorithm P calculates c _4i<-H (u _1i, e _1i).Producing (c ₀₁, c ₁₁, c ₂₁, c ₃₁, c ₄₁..., c _0N, c _1N, c _2N, c _3N, c _4N) afterwards, certifier's algorithm P calculates cryptographic Hash Cmt<-H (c ₀₁, c ₁₁, c ₂₁, c ₃₁, c ₄₁..., c _0N, c _1N, c _2N, c _3N, c _4N).

The cryptographic Hash Cmt producing in operation #1 is sent to verification person's algorithm V.

Operation #2:

When receiving cryptographic Hash Cmt, for i=1, to each in N, verification person's algorithm V is from which kind of verification pattern of choice for use among four kinds of verification patterns.For example, verification person's algorithm V can { select numerical value, and cross-examine Ch from representing four numerical value of verification pattern to each in N for i=1 among 0,1,2,3} _ithe middle numerical value that selection is set.Cross-examine Ch _i(i=1 is to N) is sent to certifier's algorithm P.

Operation #3:

Cross-examine Ch receiving _iwhen (i=1 is to N), certifier's algorithm P is in response to the Ch that cross-examinees receiving _iin each generation send to verification person's algorithm V for i=1 to each the response Rsp in N _i.At Ch _iin=0 situation, certifier's algorithm P produces response Rsp _i=(r _0i, t _0i, u _0i, e _0i, c _0i, c _4i).At Ch _iin=1 situation, certifier's algorithm P produces response Rsp _i=(r _0i, u _1i, e _1i, c _0i, c _1i, c _3i).At Ch _iin=2 situation, certifier's algorithm P produces response Rsp _i=(r _1i, t _0i, e _0i, c _1i, c _2i, c _4i).At Ch _iin=3 situation, certifier's algorithm P produces response Rsp _i=(r _1i, t _1i, u _1i, e _1i, c _2i, c _3i).The response Rsp producing in operation #3 _i(i=1 is to N) is sent to verification person's algorithm V.

Operation #4:

Receiving response Rsp _iwhen (i=1 is to N), verification person's algorithm V is used the response Rsp receiving to N, to carry out process below for i=1.

At Ch _iin=0 situation, verification person's algorithm V calculates c _1i=H (r _0i-t _0i, u _0i).Subsequently, verification person's algorithm V calculates c _2i=H (r _0i, F (r _0i)+G _y(r _0i, u _0i)-e _0i).Subsequently, verification person's algorithm V calculates c _3i=H (t _0i, e _0i).Verification person's algorithm V stores (c subsequently _0i, c _1i, c _2i, c _3i, c _4i).

At Ch _iin=1 situation, verification person's algorithm V calculates c _2i=H (r _0i, e _1i-G _y(r _0i, u _1i)).Subsequently, verification person's algorithm V calculates c _4i=H (u _1i, e _1i).Subsequently, verification person's algorithm V calculates c _3i=H (t _0i, e _0i).Verification person's algorithm V stores (c subsequently _0i, c _1i, c _2i, c _3i, c _4i).

At Ch _iin=2 situation, verification person's algorithm V calculates c _0i=H (r _1i, G _x(t _0i, r _1i)+e _0i).Subsequently, verification person's algorithm V calculates c _3i=H (t _0i, e _0i).Subsequently, verification person's algorithm V calculates c _3i=H (t _0i, e _0i).Verification person's algorithm V stores (c subsequently _0i, c _1i, c _2i, c _3i, c _4i).

At Ch _iin=3 situation, verification person's algorithm V calculates c _0i=H (r _1i, y-F (r _1i)-e _1i-G _x(t _1i, r _1i)).Subsequently, verification person's algorithm V calculates c _1i=H (t _1i, r _1i-u _1i).Subsequently, verification person's algorithm V calculates c _4i=H (u _1i, e _1i).Verification person's algorithm V stores (c subsequently _0i, c _1i, c _2i, c _3i, c _4i).

After carrying out above process for i=1 to N, verification person's algorithm V verifies Cmt=H (c ₀₁, c ₁₁, c ₂₁, c ₃₁, c ₄₁..., c _0N, c _1N, c _2N, c _3N, c _4N) equation whether set up.Verification person's algorithm V is proved to be successful with indication verifying output valve 1 in successful situation, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The parallelization of the expansion algorithm structure relevant to 3 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.In addition, use cubic polynomial can realize higher fail safe.

<3. the algorithm structure > relevant to 5 times public key verifications schemes

Below, will the algorithm relevant to 5 times public key verifications schemes be described.It should be noted that in the following description, 5 times public key verifications scheme also can be called as " 5 times schemes " in some cases.

The in the situation that of 3 times schemes, at each interaction protocol, the possibility that mistake is verified is 2/3.Yet the in the situation that of 5 times schemes, the possibility of verifying in the mistake of each interaction protocol is 1/2+1/q.Here, q is the rank of the ring that will use.Therefore, when the rank of encircling are enough large, the possibility that the mistake of each 5 times schemes is verified can reduce, and therefore, by interaction protocol being carried out to less number of times, can fully reduce the wrong possibility of verifying.

For example, the possibility of verifying when hope mistake is equal to or less than 1/2 ⁿtime, interaction protocol must be performed n/ (log3-1)=1.701n time or more times in 3 times schemes.On the other hand, the possibility of verifying when hope mistake is equal to or less than 1/2 ⁿtime, interaction protocol must in 5 times schemes, be performed n/ (1-log (1+1/q)) inferior or more times.Therefore, when q=24, and compare in 3 times schemes, in 5 times schemes, realize the required traffic of identical level of security less.

[example (Fig. 9) of 3-1. special algorithm structure]

First, with reference to the example of Fig. 9 introduction special algorithm structure relevant to 5 times schemes.Fig. 9 is for describing the explanation diagram of the special algorithm structure relevant to 5 times schemes.The algorithm of 5 times schemes produces algorithm Gen, certifier's algorithm P by key and verification person's algorithm V forms.Below, each algorithm structure will be described.

(key produces algorithm Gen)

Key produces algorithm Gen and is created in the multinomial f defining in ring k ₁(x ₁..., x _n) ..., f _m(x ₁..., x _n) and as set K ⁿthe vectorial s=(s of element ₁..., s _n).Next, key produces algorithm Gen and calculates y=(y ₁..., y _m) ← (f ₁(s) ..., f _m(s)).In addition, key produces algorithm Gen the (f in PKI pk is set ₁..., f _m, y) and s is set as privacy key.Below, vector (x ₁..., x _n) be represented as x, and one group of multinomial (f ₁(x) ..., f _m(x)) be represented as F (x).

(certifier's algorithm P, verification person's algorithm V)

Next, with reference to Fig. 9, be described in the process of being carried out by certifier's algorithm P and verification person's algorithm V during interaction protocol.

Operation #1:

As shown in Figure 9, certifier's algorithm P selects digital seed at random ₀.Subsequently, certifier's algorithm P passes through digital seed ₀being applied to pseudorandom number generator PRNG produces as set K ⁿthe vectorial r of element ₀with one group of multinomial F ₁(x)=(f ₁₁(x) ..., f _1m(x)).That is to say, certifier's algorithm P calculates (r ₀, F ₁) <-G (seed ₀).Subsequently, certifier's algorithm P calculates r1<-s – r ₀.This calculating is equal to and utilizes vectorial r ₀shelter privacy key s.

Operation #1 (continuation):

Subsequently, certifier's algorithm P produces F ₁(r ₁) and r ₁cryptographic Hash c ₀.That is to say, certifier's algorithm P calculates c ₀<-H (F ₁(r ₁), r ₁).In addition, certifier's algorithm P produces digital seed ₀cryptographic Hash c ₁.That is to say, certifier's algorithm P calculates c ₁<-H (seed ₀).Message (the c producing in operation #1 ₀, c ₁) be sent to verification person's algorithm V.

Operation #2:

Receiving message (c ₀, c ₁) time, verification person's algorithm V is at random from q digital Ch of Choice of Origin that encircles K _aand the digital Ch selecting _asend to certifier's algorithm P.

Operation #3:

Receiving digital Ch _atime, certifier's algorithm P calculates F ₂(x) <-Ch _af (x+r ₀)+F ₁(x).This calculating is equal to and utilizes multinomial F ₁(x) shelter the multinomial F (x+r of x ₀).The multinomial F producing in operation #3 ₂be sent to verification person's algorithm V.

Operation #4:

Receiving multinomial F ₂time, verification person's algorithm V is from which kind of verification pattern of choice for use between two kinds of verification patterns.For example, verification person's algorithm V can be from representing that two numerical value of verification pattern { select numerical value, and cross-examining Ch among 0,1} _bthe middle numerical value that selection is set.This cross-examinees Ch _bbe sent to certifier's algorithm P.

Operation #5:

Cross-examine Ch receiving _btime, certifier's algorithm P is in response to the Ch that cross-examinees receiving _bgeneration sends to the response Rsp of verification person's algorithm V.At Ch _bin=0 situation, certifier's algorithm P produces response Rsp=seed ₀.At Ch _bin=1 situation, certifier's algorithm P produces response Rsp=r ₁.The response Rsp producing in operation #5 is sent to verification person's algorithm V.

Operation #6:

When receiving response Rsp, verification person's algorithm V is used the response Rsp receiving to carry out verification process below.

At Ch _bin=0 situation, verification person's algorithm V calculates (r ₀, F ₁) <-PRNG (Rsp).Then, verification person's algorithm V verifies c ₁whether the equation of=H (Rsp) is set up.In addition, verification person's algorithm V verifies F ₂(x)=Ch _af (F (x+r ₀)+F ₁(x) whether equation is set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

At Ch _bin=1 situation, verification person's algorithm V arranges r ₁<-Rsp.In addition, verification person's algorithm V verifies c ₀=H (F ₂(r ₁) – Ch _ay, r ₁) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

(viability)

From the fact below, guarantee the viability of 5 times schemes: when certifier's algorithm P is for (c ₀, c ₁) and two (Ch being selected by verification person's algorithm V _a, Ch _a') suitably to cross-examining Ch _b=0 and 1 makes while responding, and the formula (28) below can meeting from the content calculating of response is to the F of formula (30) ₁, F ₂, F ₂', r ₀and r ₁.

[mathematic(al) representation 15]

F ₂(x)＝Ch _A·F(x+r ₀)+F ₁(x)

…(28)

F ₂′(x)＝ChA _′·F(x+r ₀)+F ₁(x)

…(29)

F ₂(r ₁)-Ch _A1·y＝F ₂′(r ₁)-Ch _A′·y

…(30)

By guaranteeing the viability of aforementioned 5 times schemes, as long as the problem of the multistage polynary simultaneous equations of unresolved solution, just can guarantee to realize the fact having higher than the forgery of the possibility of 1/2+1/q.That is to say, for all Ch that cross-examine to verification person suitably _a=0 and 1 makes response, and adulterator must calculate the F that meets aforementioned formula (28) and formula (30) ₁, F ₂, F ₂', r ₀and r ₁.In other words, adulterator must calculate the s that meets F (s)=y.Therefore,, as long as the problem of the multistage polynary simultaneous equations of unresolved solution, adulterator just cannot successfully realize the forgery having higher than the possibility of 1/2+1/q.In addition, by aforementioned interaction protocol is carried out to abundant number of times repeatedly, the possibility that success is forged diminishes to ignoring.

(hash function H)

Here, the description of hash function H will be supplemented.In aforementioned algorithm, use hash function H to calculate c ₀, c ₁deng.Yet alternative use in hash function H promised to undertake function COM.Promise to undertake that function COM is such function: in this function, character string S and random number ρ are the factors.The example of promising to undertake function comprises the disclosed scheme in international conference CRYPTO 1996 by Shai Halevi and Silvio Micali.

For example, will consider to use promise function COM to calculate c ₀and c ₁situation.In this case, calculating c ₀and c ₁before, prepare random number ρ ₀and ρ ₁, and by be alternative in application hash function H () apply promise function COM (, ρ ₀) and COM (, ρ ₁) produce c ₀, c ₁.In addition, verification person produces c _irequired ρ _ibe set to be included in response Rsp and be sent out.

The example of the special algorithm structure relevant to 5 times schemes has more than been described.

[3-2: the highly effective algorithm based on secondary multinomial]

Next, description is made to the algorithm efficient method relevant to 5 times schemes.Here, one group of quadratic polynomial (f will be described ₁(x) ..., f _m(x)) be used as the situation of multinomial F.

The same in the highly effective algorithm relevant with 3 times schemes, two vectors are (that is, as set K ⁿthe vectorial t of element ₀with conduct set K ^mthe vectorial e of element ₀) be used to a multinomial F ₁(x) be expressed as F ₁(x)=G (x, t ₀)+e ₀, multinomial F ₁(x) be used to shelter multinomial F (x+r ₀).When using this expression formula, can be for multinomial F (x+r ₀) the middle relation representing of acquisition formula (31) below.

[mathematic(al) representation 16]

Ch _A·F(x+r ₀)+F ₁(x)

＝Ch _A·F(x)+Ch _A·F(r ₀)+Ch _A·G(x，r ₀)+G(x，t ₀)+e ₀

＝Ch _A·F(x)+G(x，Ch _A·r ₀+t ₀)+Ch _A·F(r ₀)+e ₀

…(31)

For this reason, work as t ₁=Ch _ar ₀+ t ₀and e ₁=Ch _af (r ₀)+e ₀time, the multinomial F after sheltering ₂(x)=F (x+r ₀)+F ₁(x) also can be by two vectors (that is, as set K ⁿthe vectorial t of element ₁with conduct set K ^mthe vectorial e of element ₁) represent.For this reason, when " F is set ₁(x)=G (x, t ₀)+e ₀" time, can be by using K ⁿin vector sum K ^min vector represent F ₁and F ₂, therefore, the size of data that signal post needs can significantly reduce.Specifically, can in the degree of several thousand to several ten thousand times, reduce communications cost.

By aforementioned modifications, not from F ₂(or F ₁) reveal about r ₀information.For example,, even when providing e ₁and t ₁(or e ₀and t ₀) time, as long as e ₀and t ₀(or e ₁and t ₁) be unknown, just do not know about r ₀information.Therefore, guaranteed zero knowledge.Below, with reference to Figure 10 and 11, the highly effective algorithm relevant to 5 times schemes described.

(3-2-1: basic structure (Figure 10))

First, the basic structure of the highly effective algorithm relevant to 5 times schemes described with reference to Figure 10.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 10, certifier's algorithm P produces at random as set K ⁿthe vectorial r of element ₀, as set K ⁿthe vectorial t of element ₀with conduct set K ^mthe vectorial e of element ₀.Subsequently, certifier's algorithm P calculates r ₁<-s-r ₀.This calculating is equal to and utilizes vectorial r ₀shelter privacy key s.Subsequently, certifier's algorithm P compute vector r ₀, t ₀, e ₀cryptographic Hash c ₀.That is to say, certifier's algorithm P calculates c ₀<-H (r ₀, t ₀, e ₀).Subsequently, certifier's algorithm P produces G (t ₀, r ₁)+e ₀and r ₁cryptographic Hash c ₁.That is to say, certifier's algorithm P calculates c ₀<-H (r ₁, G (t ₀, r ₁)+e ₀).Message (the c producing in operation #1 ₀, c ₁) be sent to verification person's algorithm V.

Operation #2:

Receiving message (c ₀, c ₁) time, verification person's algorithm V is at random from q digital Ch of Choice of Origin that encircles K _aand the digital Ch selecting _asend to certifier's algorithm P.

Operation #3:

Receiving digital Ch _atime, certifier's algorithm P calculates t ₁<-Ch _ar ₀-t ₀.In addition, certifier's algorithm P calculates e ₁<-Ch _af (r ₀)-e ₀.Certifier's algorithm P is t ₁and e ₁send to verification person's algorithm V.

Operation #4:

Receiving t ₁and e ₁time, verification person's algorithm V is from which kind of verification pattern of choice for use between two kinds of verification patterns.For example, verification person's algorithm V can be from representing that two numerical value of verification pattern { select numerical value, and cross-examining Ch between 0,1} _bthe middle numerical value that selection is set.This cross-examinees Ch _bbe sent to certifier's algorithm P.

Operation #5:

Cross-examine Ch receiving _btime, certifier's algorithm P is in response to the Ch that cross-examinees receiving _bgeneration sends to the response Rsp of verification person's algorithm V.At Ch _bin=0 situation, certifier's algorithm P produces response Rsp=r ₀.At Ch _bin=1 situation, certifier's algorithm P produces response Rsp=r ₁.The response Rsp producing in operation #5 is sent to verification person's algorithm V.

Operation #6:

When receiving response Rsp, verification person's algorithm V is used the response Rsp receiving to carry out verification process below.

At Ch _bin=0 situation, verification person's algorithm V carries out r ₀<-Rsp.Then, verification person's algorithm V verifies c ₀=H (r ₀, Ch _ar ₀-t ₁, Ch _af (r ₀)-e ₁) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

At Ch _bin=1 situation, verification person's algorithm V carries out r ₁<-Rsp.Then, verification person's algorithm V verifies c ₁=H ₁(r ₁, Ch _a(y-F (r ₁)-G (t ₁, r ₁)-e ₁) equation whether set up.Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The example of the highly effective algorithm structure relevant to 5 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.

(3-2-2: Parallel Algorithm (Figure 11))

Next, with reference to Figure 11, the method that makes the highly effective algorithm parallelization shown in Figure 10 is described.Yet, by further describing of the structure of omission key generation algorithm Gen.

As mentioned above, the above interaction protocol that application is relevant with 5 times schemes makes the possibility of successfully forgery to be remained on (1/2+1/q) or less.Therefore, carrying out interaction protocol for twice makes the possibility that success can be forged remain on (1/2+1/q) ²or less.In addition, if N time is carried out interaction protocol, the possibility that success is forged becomes (1/2+1/q) ⁿor less, and if N is set to enough large numeral, (for example, N=80), the possibility that success is forged diminishes to ignoring.

For example, the method for repeatedly carrying out interaction protocol that can expect comprises: serial approach, sequentially repeatedly repetition message, the exchange of cross-examining and responding; And parallel method, in single exchange, exchange a plurality of message, cross-examine and respond.Here, will algorithm (below, being called Parallel Algorithm) that carry out concurrently the above interaction protocol relevant with 5 times schemes be described now.

Operation #1:

First certifier's algorithm P arrives N execution process (1) below to (4) for i=1.

Process (1): certifier's algorithm P produces at random as set K ⁿthe vectorial r of element _0i, t _0iwith conduct set K ^mthe vectorial e of element _0i.

Process (2): certifier's algorithm P calculates r _1i<-s-r _0i.This calculating is equal to and utilizes vectorial r _0ishelter privacy key s.

Process (3): certifier's algorithm P calculates c _0i<-H (r _0i, t _0i, e _0i).

Process (4): certifier's algorithm P calculates c _1i<-H (r _1i, G (t _0i, r _1i)+e _0i).

For i=1, to N, carrying out above process (1) to (4) afterwards, certifier's algorithm P carries out cryptographic Hash Cmt<-H (c ₀₁, c ₁₁..., c _0N, c _1N).The cryptographic Hash Cmt producing in operation #1 is sent to verification person's algorithm V.

Operation #2:

When receiving cryptographic Hash Cmt, verification person's algorithm V arrives N at random from q digital Ch of Choice of Origin that encircles K for i=1 _aiand the digital Ch selecting _ai(i=1 is to N) sends to certifier's algorithm P.

Operation #3:

Receiving digital Ch _aiwhen (i=1 is to N), certifier's algorithm P calculates t for i=1 to N _1i<-Ch _air _0i-t _0i.In addition, certifier's algorithm P calculates e for i=1 to N _1i<-Ch _aif (r _0i)-e _0i.Then, certifier's algorithm P is t ₁₁..., t _1Nand e ₁₁..., e _1Nsend to verification person's algorithm V.

Operation #4:

Receiving t ₁₁..., t _1Nand e ₁₁..., e _1Ntime, verification person's algorithm V arrives N from which kind of verification pattern of choice for use between two kinds of verification patterns for i=1.For example, verification person's algorithm V can be from representing that two numerical value of verification pattern { select numerical value, and cross-examining Ch between 0,1} _bithe middle numerical value that selection is set.This cross-examinees Ch _bi(i=1 is to N) is sent to certifier's algorithm P.

Operation #5:

Cross-examine Ch receiving _biwhen (i=1 is to N), certifier's algorithm P for i=1 to N in response to the Ch that cross-examinees receiving _bigeneration sends to the response Rsp of verification person's algorithm V _i.At Ch _biin=0 situation, certifier's algorithm P produces response Rsp _i=(r _0i, c _1i).At Ch _biin=1 situation, certifier's algorithm P produces response Rsp _i=(r _1i, c _0i).The response Rsp producing in operation #5 _i(i=1 is to N) is sent to verification person's algorithm V.

Operation #6:

Receiving response Rsp _iwhen (i=1 is to N), verification person's algorithm V is used the response Rsp receiving _iprocess (1) and (2) below (i=1 is to N) execution.

Process (1): at Ch _biin=0 situation, verification person's algorithm V carries out (r _0i, c _1i) <-Rsp _i.Then, verification person's algorithm V calculates c _0i=H (r _0i-Ch _air _0i– t _1i, Ch _aif (r _0i)-e _1i).Verification person's algorithm V stores (c subsequently _0i, c _1i).

Process (2): at Ch _biin=1 situation, verification person's algorithm V carries out (r _1i, c _0i) <-Rsp _i.Then, verification person's algorithm V calculates c _1i=H (r _1i-Ch _ai(y-F (r _1i))-G (t _1i, r _1i)-e _1i).Verification person's algorithm V stores (c subsequently _0i, c _1i).

For i=1, arrive N implementation (1) and (2) afterwards, verification person's algorithm V verifies Cmt=H (c ₀₁, c ₁₁..., c _0N, c _1N) equation whether set up.Verification person's algorithm V verifies in successful situation output valve 1 at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The example of the structure of the parallelization highly effective algorithm relevant to 5 times schemes has more than been described.In addition, the Parallel Algorithm shown in Figure 11 comprises such design: message was converted into cryptographic Hash before being sent out.This design improves communication efficiency.Similarly, can revise structure, so that cross-examine Ch _a1..., Ch _aN, Ch _b1..., Ch _bNor response Rsp ₁..., Rsp _nbefore being sent out, be converted into cryptographic Hash.Revise by this way the further raising that structure can realize the communication efficiency of expection.

[3-3: the highly effective algorithm based on high-order multinomial (scheme #1)]

Aforementioned highly effective algorithm is used such character: by utilizing one group of quadratic polynomial f of definition in aforementioned formula (8) _irepresent multinomial F, in aforementioned formula (10), the multinomial G of definition becomes bilinearity.Here, the highly effective algorithm shown in Figure 10 is used such fact: PKI F (s) can be divided into as Ch _athe item of multiple depends on Ch _apart and another part.Yet, even the in the situation that of 5 times schemes, when multinomial G is while being linear at least one in x and y, even when multinomial G is not bilinearity, also can construct equally highly effective algorithm.

(use cubic polynomial f _ithe structure of highly effective algorithm)

The cubic polynomial f that uses ring R will be checked as 3 times schemes in the situation that _lthe method of structure highly effective algorithm.As cubic polynomial f _lwhile being represented as aforementioned formula (17), can understand such fact: G from formula (19) and formula (20) _x(x, y) and G _y(x, y) becomes linearity for x and y.

Therefore, use aforesaid properties, by introducing new variables r ₀, r ₁, t ₀, u ₀and e ₀, PKI F (s) is divided into as Ch _athe item of multiple.Due to multinomial G _xand G _yfor x and y, be linear, so use variable r ₀, r ₁, t ₀, u ₀and e ₀foundation formula (32) is below to the relation between formula (35).Formula below (32) can be divided into and depend on Ch to formula (35) _afirst and do not depend on Ch _asecond portion.Here, can utilize (r ₁, t ₁, u ₁, e ₁) reproduction first.Can utilize (r ₀, t ₁, u ₁, e ₁) reproduction second portion.

For example, included " e in formula (32) below ₀, G _x(t ₀, r ₁) ", included " t in formula below (33) ₀", included " u in formula below (34) ₀" and formula below (35) in included " e ₀, G _y(r ₀, u ₀) " be first.On the other hand, included " Ch in formula (32) below _aif (r ₀+ r ₁), e ₁, Ch _af (r ₁), G _x(t ₁, r ₁) ", included " Ch in formula below (33) _ar ₀, t ₁", included " Ch in formula below (34) _ar ₁, u ₁" and formula below (35) in included " Ch _af (r ₀), G _y(r ₀, u ₁), e ₁" be second portion.

From the definition of privacy key s and below formula (32) to the relation between formula (35), even when using (r ₁, t ₁, u ₁, e ₁) and (r ₀, t ₁, u ₁, e ₁) in any one time also guarantee to obtain the fact of privacy key s.Use this character can for example realize the cubic polynomial f that uses ring R _lthe highly effective algorithm that structure is relevant with 5 times schemes (expansion algorithm below).

[mathematic(al) representation 17]

Ch _A·F(r ₀+r ₁)＝e ₀+e ₁+Ch _A·F(r ₁)+G _x(t ₀，r ₁)+G _x(t ₁，r ₁)

…(32)

Ch _A·r ₀＝t ₀+t ₁

…(33)

Ch _A·r ₁＝u ₀+u ₁

…(34)

Ch _A·F(r ₀)+G _y(r ₀，u ₁)+G _y(r ₀，u ₀)＝e ₀+e ₁

…(35)

Below, will the example of particular extension algorithm structure be described.Two basic points about the design of expansion algorithm are: the message representing in formula below (36) and formula (37) is sent to verification person and for the Ch being selected by verification person _ach is depended in verification _apart (first).Here, owing to preventing when verifying with other r ₀and r ₁the r that replacement is used when producing message ₀and r ₁so, will add about r following introduction ₀and r ₁the example of structure of verification.

[mathematic(al) representation 18]

c ₀＝H(t ₀，e ₀-G _y(r ₀，u ₀))

…(36)

c ₁＝H(u ₀,G _x(t ₀,r ₁)+e ₀)

…(37)

(3-3-1: basic structure (Figure 12))

First, the basic structure of the expansion algorithm relevant to 5 times schemes described with reference to Figure 12.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 12, certifier's algorithm P produces at random as set K ⁿthe vectorial r of element ₀, t ₀, u ₀with conduct set K ^mthe vectorial e of element ₀.Subsequently, certifier's algorithm P calculates r ₁<-s-r ₀.This calculating is equal to and utilizes vectorial r ₀shelter privacy key s.Subsequently, certifier's algorithm P calculates c ₀<-H (r ₀, t ₀, e ₀-G _y(r ₀, u ₀)).Subsequently, certifier's algorithm P calculates c ₁<-H (r ₁, u ₀, G _x(t ₀, r ₁)+e ₀).Message (the c producing in operation #1 ₀, c ₁) be sent to verification person's algorithm V.

Operation #2:

Receiving message (c ₀, c ₁) time, verification person's algorithm V selects digital Ch at random _a.Numeral Ch _abe sent to certifier's algorithm P.

Operation #3:

Receiving digital Ch _atime, certifier's algorithm P calculates t ₁<-Ch _ar ₀-t ₀.Subsequently, certifier's algorithm P calculates u ₁<-Ch _ar ₁– u ₀.Subsequently, certifier's algorithm P calculates e ₁<-Ch _af (r ₀)+Ch _ag _y(r ₀, r ₁) – e ₀.Then, (the t producing in operation #1 ₁, u ₁, e ₁) be sent to verification person's algorithm V.

Operation #4:

Receiving (t ₁, u ₁, e ₁) time, verification person's algorithm V is from which kind of verification pattern of choice for use between two kinds of verification patterns.For example, verification person's algorithm V can be from representing that two numerical value of verification pattern { select numerical value, and cross-examining Ch between 0,1} _bthe middle numerical value that selection is set.This cross-examinees Ch _bbe sent to certifier's algorithm P.

Operation #5:

Cross-examine Ch receiving _btime, certifier's algorithm P is in response to the Ch that cross-examinees receiving _bgeneration sends to the response Rsp of verification person's algorithm V.At Ch _bin=0 situation, certifier's algorithm P produces response Rsp=r ₀.At Ch _bin=1 situation, certifier's algorithm P produces response Rsp=r ₁.The response Rsp producing in operation #5 is sent to verification person's algorithm V.

Operation #6:

When receiving response Rsp, verification person's algorithm V is used the response Rsp receiving to carry out verification process below.

At Ch _bin=0 situation, verification person's algorithm V verifies c ₀=H (r0, Ch _ar ₀-t ₁, Ch _af (r ₀)+G _y(r ₀, u ₁)-e ₁) equation whether set up.Verification person's algorithm V verifies in successful situation output valve 1 at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

At Ch _bin=1 situation, verification person's algorithm V verifies c ₁=H (r ₁, Ch _ar ₁-u ₁, Ch _a(y-F (r ₁))-G _x(t ₁, r ₁)-e ₁) equation whether set up.Verification person's algorithm V verifies in successful situation output valve 1 at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The example of the expansion algorithm structure relevant to 5 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.In addition, use cubic polynomial can realize higher fail safe.

(3-3-2: Parallel Algorithm (Figure 13))

Next, the method for the parallelization of the expansion algorithm relevant to 5 times schemes is described with reference to Figure 13.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 13, certifier's algorithm P carries out process below for i=1 to N.First, certifier's algorithm P produces at random as set K ⁿthe vectorial r of element _0i, t _0i, u _0iwith conduct set K ^mthe vectorial e of element _0i.Subsequently, certifier's algorithm P calculates r _1i<-s-r _0i.This calculating is equal to and utilizes vectorial r _0ishelter privacy key s.Subsequently, certifier's algorithm P calculates c _0i<-H (r _0i, t _0i, e _0i,-G _y(r _0i, u _0i)).Subsequently, certifier's algorithm P calculates c _1i<-H (r _1i, u _0i-G _x(t _0i, r _1i)+e _0i).

Operation #1 (continuation):

Calculating (c ₀₁, c ₁₁..., c _0N, c _1N) afterwards, certifier's algorithm P calculates cryptographic Hash Cmt<-H (c ₀₁, c ₁₁..., c _0N, c _1N).The cryptographic Hash Cmt producing in operation #1 is sent to verification person's algorithm V.

Operation #2:

When receiving cryptographic Hash Cmt, verification person's algorithm V selects digital Ch at random _a1..., Ch _aN.Numeral Ch _a1..., Ch _aNbe sent to certifier's algorithm P.

Operation #3:

Receiving digital Ch _a1..., Ch _aNtime, certifier's algorithm P carries out process below for i=1 to N.First, certifier's algorithm P calculates t _1i<-Ch _air _0i-t _0i.Subsequently, certifier's algorithm P calculates u _1i<-Ch _air _1i-u _0i.Subsequently, certifier's algorithm P calculates e _1i<-Ch _aif (r _0i)+Ch _aig _y(r _0i, r _1i)-e _0i.

Then, (the t producing in operation #3 ₁₁, u ₁₁, e ₁₁..., t _1N, u _1N, e _1N) be sent to verification person's algorithm V.

Operation #4:

Receiving (t ₁₁, u ₁₁, e ₁₁..., t _1N, u _1N, e _1N) time, verification person's algorithm V arrives N from which kind of verification pattern of choice for use between two kinds of verification patterns for i=1.For example, verification person's algorithm V can { select numerical value, and cross-examine Ch from representing two numerical value of verification pattern to N for i=1 between 0,1} _bithe middle numerical value that selection is set.Cross-examine Ch _b1to Ch _bNbe sent to certifier's algorithm P.

Operation #5:

Cross-examine Ch receiving _b1to Ch _bNtime, certifier's algorithm P for i=1 to N in response to the Ch that cross-examinees receiving _bigeneration sends to the response Rsp of verification person's algorithm V _i.At Ch _biin=0 situation, certifier's algorithm P produces response Rsp _i=(r _0i, c _1i).At Ch _biin=1 situation, certifier's algorithm P produces response Rsp _i=(r _1i, c _0i).The response Rsp producing in operation #5 _ibe sent to verification person's algorithm V.

Operation #6:

Receiving response Rsp _iwhen (i=1 is to N), verification person's algorithm V is used the response Rsp receiving to N for i=1 _icarry out process below.

At Ch _biin=0 situation, verification person's algorithm V calculates c _0i=H (r _0i-Ch _air _0i– t _1i, Ch _aif (r _0i)+G _y(r _0i, u _1i)-e _1i).Verification person's algorithm V stores (c subsequently _0i, c _1i).

At Ch _biin=1 situation, verification person's algorithm V calculates c _1i=H (r _1i, Ch _air _1i-u _1i, Ch _ai(y-F (r _1i))-G _x(t _1i, r _1i)-e _1i).Verification person's algorithm V stores (c subsequently _0i, c _1i).

After carrying out aforementioned process for i=1 to N, verification person's algorithm V verifies Cmt=H (c ₀₁, c ₁₁..., c _0N, c _1N) equation whether set up.Verification person's algorithm V verifies in successful situation output valve 1 at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The parallelization of the expansion algorithm structure relevant to 5 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.In addition, use cubic polynomial can realize higher fail safe.

[3-4: the highly effective algorithm based on high-order multinomial (scheme #2)]

Up to the present, the cubic polynomial f that uses ring R has been described _lthe method of structure highly effective algorithm.Here, will consider to use at characteristic q and rank q ^kring R in the higher order polynomial f that defines _lthe method of structure expansion algorithm.Higher order polynomial f _lformula (38) below being for example represented as.When using higher order polynomial f _ltime, be defined as G (x, y)=F (x+y) – F (x) – F (y)=(g ₁..., g _m) the component g of multinomial G ₁be represented as formula (39) below.

[mathematic(al) representation 19]

$f_l(x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_n)=\underset{i,j,z,w}{\mathrm{\&Sigma;}}{a}_{\mathrm{lijzw}}{x}_i^{q^z}{x}_j^{q^w}+\underset{i,z}{\mathrm{\&Sigma;}}{b}_{\mathrm{liz}}{x}_i^{q^z}\&CenterDot;\&CenterDot;\&CenterDot;\left(38\right)$

$g_l(x_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_n,{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA0000463674260000021.png,HDA0000463674260000031.png"\; state="\{\{state\}\}">y</figure-callout>}}_1,\&CenterDot;\&CenterDot;\&CenterDot;,y_n)=\underset{i,j,z,w}{\mathrm{\&Sigma;}}(a_{\mathrm{lijzw}}+a_{\mathrm{ljizw}})x_i^{q^z}{y}_j^{q^w}$

$=\underset{z}{\mathrm{\&Sigma;}}{g}_{\mathrm{lz}}({\mathrm{<figure-callout\; id="1"\; label="x"\; filenames="HDA0000463674260000021.png,HDA0000463674260000031.png"\; state="\{\{state\}\}">x</figure-callout>}}_1,\&CenterDot;\&CenterDot;\&CenterDot;,x_n,{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA0000463674260000021.png,HDA0000463674260000031.png"\; state="\{\{state\}\}">y</figure-callout>}}_1,\&CenterDot;\&CenterDot;\&CenterDot;,y_n)\&CenterDot;\&CenterDot;\&CenterDot;\left(39\right)$

Ch for the element as set R _aset up the relation shown in formula (40) below.In addition, also set up the relation shown in formula (41) below.Therefore, use this character (following, to be called almost linear), by introducing new variables r ₀, r ₁, t _0zand e ₀, PKI F (s) is divided into as Ch _athe item of multiple.Because G has almost linear, so use variable r ₀, r ₁, t _0zand e ₀foundation formula (42) is below to the relation between formula (44).Formula below (42) can be divided into and depend on Ch to formula (44) _afirst and do not depend on Ch _asecond portion.Here, can utilize (r ₁, t _1z, e ₁) reproduction first.Can utilize (r ₀, t _1z, e ₁) reproduction second portion.

For example, included " e in formula (42) below ₀, Σ G _z(t _0z, r ₁) ", included " t in formula below (43) _0z" and formula below (44) in included " e ₀" be first.On the other hand, included " Ch in formula (42) below _af (r ₀+ r ₁), e ₁, Ch _af (r ₁), Σ G _z(t _1z, r ₁) ", included " Ch in formula below (43) _a ^{q (z)}r ₀, t _1z" (q (z)=q wherein ^zand this is equally applicable to following description) and formula below (44) in included " Ch _af (r ₀), e ₁" be second portion.

From the definition of privacy key s and below formula (42) to the relation between formula (44), even when using (r ₁, t _1z, e ₁) and (r ₀, t _1z, e ₁) in any one time also guarantee to obtain the fact of privacy key s.Use this character can for example realize the higher order polynomial f that uses ring R _lthe highly effective algorithm that structure is relevant with 5 times schemes (high-order expansion algorithm below).

[mathematic(al) representation 20]

${\mathrm{Ch}}_A\&CenterDot;G(x,y)=\underset{z}{\mathrm{\&Sigma;}}{G}_z({{\mathrm{Ch}}_A}^{q^{-z}}x,y)\&CenterDot;\&CenterDot;\&CenterDot;\left(40\right)$

G(x ₁+x ₂，y)＝G(x ₁，y)+G(x ₂，y)

…(41)

${\mathrm{Ch}}_A\&CenterDot;F({\mathrm{<figure-callout\; id="0"\; label="r"\; filenames="HDA0000463674260000051.png,HDA0000463674260000061.png"\; state="\{\{state\}\}">r</figure-callout>}}_0+r_1)$

$={\mathrm{<figure-callout\; id="0"\; label="e"\; filenames="HDA0000463674260000051.png,HDA0000463674260000061.png"\; state="\{\{state\}\}">e</figure-callout>}}_0+{\mathrm{<figure-callout\; id="1"\; label="e"\; filenames="HDA0000463674260000021.png,HDA0000463674260000031.png"\; state="\{\{state\}\}">e</figure-callout>}}_1+{\mathrm{Ch}}_A\&CenterDot;F\left(r_1\right)+\underset{z}{\mathrm{\&Sigma;}}(t_{0z},r_1)+\underset{z}{\mathrm{\&Sigma;}}{G}_z(t_{1z},r_1)\&CenterDot;\&CenterDot;\&CenterDot;\left(42\right)$

${\left({\mathrm{Ch}}_A\right)}^{q^{-z}}\&CenterDot;{\mathrm{<figure-callout\; id="0"\; label="r"\; filenames="HDA0000463674260000051.png,HDA0000463674260000061.png"\; state="\{\{state\}\}">r</figure-callout>}}_0=t_{0z}+t_{1z}\&CenterDot;\&CenterDot;\&CenterDot;\left(43\right)$

Ch _A·F(r ₀)＝e ₀+e ₁

…(44)

Below, will the example of specific high-order expansion algorithm structure be described.Two basic points about the design of high-order expansion algorithm are: the message representing in formula below (45) and formula (46) is sent to verification person and for the Ch being selected by verification person _ach is depended in verification _apart (first).Here, owing to " preventing when verifying with other r ₀and r ₁the r that replacement is used when producing message ₀and r ₁", so will add about r following introduction ₀and r ₁the example of structure of verification.

[mathematic(al) representation 21]

c ₀＝H(t ₀₁，…t _0k，e ₀)

…(45)

$c_1=H(\underset{z}{\mathrm{\&Sigma;}}{G}_z(t_{0z},r_1)+e_0)\&CenterDot;\&CenterDot;\&CenterDot;\left(46\right)$

(3-4-1: basic structure (Figure 14))

First, the basic structure of the high-order expansion algorithm relevant to 5 times schemes described with reference to Figure 14.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 14, certifier's algorithm P produces at random as set K ⁿthe vectorial r of element ₀, t ₀₁, t _0kwith conduct set K ^mthe vectorial e of element ₀.Subsequently, certifier's algorithm P calculates r ₁<-s-r ₀.This calculating is equal to and utilizes vectorial r ₀shelter privacy key s.Subsequently, certifier's algorithm P calculates c ₀<-H (r ₀, t ₀₁..., t _0k, e ₀).Subsequently, certifier's algorithm P calculates c ₁<-H (r ₁, Σ _zg _z(t _0z, r ₁)+e ₀) (Σ wherein _zrepresentative is for z=1 to k sum).Message (the c producing in operation #1 ₀, c ₁) be sent to verification person's algorithm V.

Operation #2:

Receiving message (c ₀, c ₁) time, verification person's algorithm V selects digital Ch at random _a.Numeral Ch _abe sent to certifier's algorithm P.

Operation #3:

Receiving digital Ch _atime, certifier's algorithm P calculates t for z=1 to k _1z<-(Ch _a) ^{q (z – 1)}r ₀-t _0z.Subsequently, certifier's algorithm P calculates e ₁<-Ch _af (r ₀) – e ₀.(the t producing in operation #3 ₁₁..., t _1k, e ₁) be sent to verification person's algorithm V.

Operation #4:

Receiving (t ₁₁..., t _1k, e ₁) time, verification person's algorithm V is from which kind of verification pattern of choice for use between two kinds of verification patterns.For example, verification person's algorithm V can be from representing that two numerical value of verification pattern { select numerical value, and cross-examining Ch between 0,1} _bthe middle numerical value that selection is set.This cross-examinees Ch _bbe sent to certifier's algorithm P.

Operation #5:

Cross-examine Ch receiving _btime, certifier's algorithm P is in response to the Ch that cross-examinees receiving _bgeneration sends to the response Rsp of verification person's algorithm V.At Ch _bin=0 situation, certifier's algorithm P produces response Rsp=r ₀.At Ch _bin=1 situation, certifier's algorithm P produces response Rsp=r ₁.The response Rsp producing in operation #5 is sent to verification person's algorithm V.

Operation #6:

When receiving response Rsp, verification person's algorithm V is used the response Rsp receiving to carry out verification process below.

At Ch _bin=0 situation, verification person's algorithm V verifies c ₀=H (r ₀, (Ch _a) ^{q (0)}r ₀– t ₁₁..., (Ch _a) ^{q (k-1)}r ₀– t _1k, Ch _af (r ₀) – e ₁) equation whether set up.Verification person's algorithm V verifies in successful situation output valve 1 at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

At Ch _bin=1 situation, verification person's algorithm V verifies c ₁=H (r ₁, Ch _a(y-F (r ₁))-Σ _zg _z(t _1z, r ₁)) equation whether set up.Verification person's algorithm V verifies in successful situation output valve 1 at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The example of the high-order expansion algorithm structure relevant to 5 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.In addition,, by using higher order polynomial, realize higher fail safe.

(3-4-2: Parallel Algorithm (configuration example 1) (Figure 15))

Next, with reference to Figure 15, the method make the high-order expansion algorithm parallelization relevant to 5 times schemes is described.Yet, by further describing of the structure of omission key generation algorithm Gen.

Operation #1:

As shown in Figure 15, certifier's algorithm P carries out process below for i=1 to N.First, certifier's algorithm P produces at random as set K ⁿthe vectorial r of element _0i, t _01i..., t _0kiwith conduct set K ^mthe vectorial e of element _0i.Subsequently, certifier's algorithm P calculates r _1i<-s-r _0i.This calculating is equal to and utilizes vectorial r _0ishelter privacy key s.Subsequently, certifier's algorithm P calculates c _0i<-H (r _0i, t _01i..., t _0ki, e _0i).Subsequently, certifier's algorithm P calculates c _1i<-H (r _1i, Σ _zg _z(t _0zi, r _1i)+e _0i) (Σ wherein _zrepresentative is for z=1 to k sum).Message (the c producing in operation #1 _0i, c _1i) (wherein i=1 is to N) be sent to verification person's algorithm V.

Operation #2:

Receiving message (c _0i, c _1i) when (wherein i=1 is to N), verification person's algorithm V selects digital Ch at random _a1..., Ch _aN.Numeral Ch _a1..., Ch _aNbe sent to certifier's algorithm P.

Operation #3:

Receiving digital Ch _a1..., Ch _aNtime, certifier's algorithm P calculates t for i=1 to N and z=1 to k _1zi<-(Ch _ai) ^{q (z-1)}r _0i-t _0zi.Subsequently, certifier's algorithm P calculates e _1i<-Ch _aif (r _0i)-e _0i.Then, (the t producing in operation #3 _11i..., t _1ki, e _1i) (wherein i=1 is to N) be sent to verification person's algorithm V.

Operation #4:

Receiving (t _11i..., t _1ki, e _1i) when (wherein i=1 is to N), verification person's algorithm V for i=1 to N from which kind of verification pattern of choice for use between two kinds of verification patterns.For example, verification person's algorithm V can { select numerical value, and cross-examine Ch from representing two numerical value of verification pattern to N for i=1 between 0,1} _bithe middle numerical value that selection is set.Cross-examine Ch _bi(wherein i=1 is to N) is sent to certifier's algorithm P.

Operation #5:

Cross-examine Ch receiving _biwhen (wherein i=1 is to N), certifier's algorithm P for i=1 to N in response to the Ch that cross-examinees receiving _bigeneration sends to the response Rsp of verification person's algorithm V _i.At Ch _biin=0 situation, certifier's algorithm P produces response Rsp _i=r _0i.At Ch _biin=1 situation, certifier's algorithm P produces response Rsp _i=r _1i.The response Rsp producing in operation #5 _i(wherein i=1 is to N) is sent to verification person's algorithm V.

Operation #6:

Receiving response Rsp _iwhen (i=1 is to N), verification person's algorithm V is used the response Rsp receiving to N for i=1 _icarry out verification process below.

At Ch _biin=0 situation, verification person's algorithm V verifies c _0i=H (r _0i, (Ch _ai) ^{q (0)}r _0i– t _11i, (Ch _ai) ^{q (k-1)}r _0i– t _1ki, Ch _aif (r _0i) – e _1i) equation whether set up.At Ch _biin=1 situation, verification person's algorithm V verifies c _1i=H (r _1i, Ch _ai(y – F (r _1i) – Σ _zg _z(t _1zi, r _1i)) equation whether set up.

Verification person's algorithm V verifies all successfully output valve 1 in situation at these and is proved to be successful with indication, and is verifying failed in the situation that output valve 0 with indication authentication failed.

The parallelization of the high-order expansion algorithm structure relevant to 5 times schemes has more than been described.By using this algorithm, the size of data that signal post needs significantly reduces.In addition,, by using higher order polynomial, realize higher fail safe.

(3-4-3: Parallel Algorithm (configuration example 2: high efficiency) (Figure 16))

Yet, in the parallelization structure of high-order expansion algorithm shown in Figure 15, message (c _0i, c _1i) (wherein i=1 is to N) be not sent out at first pass in the situation that not changing.Yet, consider communication efficiency, preferably, utilize the unified message (c that sends of a cryptographic Hash _0i, c _1i) (wherein i=1 is to N).In order to utilize the unified message (c that sends of a cryptographic Hash at first pass _0i, c _1i) (wherein i=1 is to N), can revise as shown in Figure 16 algorithm structure.

In the example of the structure of Figure 16, certifier's algorithm P calculates cryptographic Hash Cmt<-H (c in operation #1 ₀₁, c ₁₁..., c _0N, c _1N).In operation #5, produce response Rsp _itime, certifier's algorithm P is at Ch _biin=0 situation, produce response Rsp _i=(r _0i, c _1i), and at Ch _biin=1 situation, produce response Rsp _i=(r _1i, c _0i).On the other hand, verification person's algorithm V operation #6 in from (Ch _ai, Ch _bi, Rsp _i) (wherein i=1 is to N) produce (c ₀₁, c ₁₁..., c _0N, c _1N), and verify Cmt=H (c ₀₁, c ₁₁..., c _0N, c _1N) equation whether set up.Carry out the further raising that this modification can realize communication efficiency.

Efficient parallel algorithm based on high-order expansion algorithm has more than been described.

(3-4-4: Parallel Algorithm (configuration example 2: more high efficiency) (Figure 17))

Yet, in the parallelization structure of high-order expansion algorithm shown in Figure 15, message (c _0i, c _1i) (wherein i=1 is to N) be not sent out at first pass in the situation that not changing.In addition, (t _11i..., t _1ki, e _1i) (wherein i=1 is to N) be not sent out at the 3rd time in the situation that not changing.Yet, consider communication efficiency, preferably, utilize the unified message (c that sends of a cryptographic Hash _0i, c _1i) (wherein i=1 is to N).In addition, preferably, utilize the unified (t of transmission of a cryptographic Hash _11i..., t _1ki, e _1i) (wherein i=1 is to N).In order to utilize the unified message (c that sends of a cryptographic Hash at first pass _0i, c _1i) (wherein i=1 is to N) and utilizing the unified (t of transmission of a cryptographic Hash for the 3rd time _11i..., t _1ki, e _1i) (wherein i=1 is to N), revise as shown in Figure 17 algorithm structure.

In the example of the structure of Figure 17, certifier's algorithm P calculates cryptographic Hash Cmt<-H (c in operation #1 ₀₁, c ₁₁..., c _0N, c _1N).Certifier's algorithm P calculates cryptographic Hash Cmt in operation #3 _b<-H (t ₁₁₁..., t _1kN, e ₁₁..., e _1N).In operation #5, produce response Rsp _itime, certifier's algorithm P is at Ch _biin=0 situation, produce response Rsp _i=(r _0i, t _01i..., t _0ki, e _0i, c _1i), and at Ch _biin=1 situation, produce response Rsp _i=(r _1i, t _11i..., t _1ki, e _1i, c _0i).

On the other hand, verification person's algorithm V operation #6 in from (Ch _ai, Ch _bi, Rsp _i) (wherein i=1 is to N) and (t ₁₁₁..., t _1kN, e ₁₁..., e _1N) generation (c ₀₁, c ₁₁..., c _0N, c _1N), and verify Cmt _a=(c ₀₁, c ₁₁..., c _0N, c _1N) and Cmt _b=(t ₁₁₁..., t _1kN, e ₁₁..., e _1N) equation whether set up.Carry out the further raising that this modification can realize communication efficiency.

Another efficient parallel algorithm based on high-order expansion algorithm has more than been described.

By applying above-mentioned high-order expansion algorithm, can realize the efficient public key verifications scheme with greater security.For example, in the expansion algorithm relevant to 5 times schemes, during (q, n, m, N)=(24,45,30,88), the size of PKI is 120, and the size of privacy key is 180, and the size of communication data is 27512.

For example,, when in the situation that the high-order expansion algorithm relevant to 5 times schemes while meeting (q, n, m, N)=(22,42,40,118), guaranteed fail safe in same degree.Under this condition, the size of PKI is 80, and the size of privacy key is 84, and the size of communication data is 27814.That is to say, by application high-order expansion algorithm, can in same degree, keep the size of communication data, and can significantly reduce the size of PKI and the size of privacy key.

This condition can be modified to (q, n, m, N)=(23,28,27,97).In this case, the size of PKI is 81, and the size of privacy key is 84, and the size of communication data is 27145.In addition, this condition can be modified to (q, n, m, N)=(24,21,20,88).In this case, the size of PKI is 80, and the size of privacy key is 84, and the size of communication data is 28392.Under any condition, realize significant efficiency.

<4: the modification > of digital signature scheme

Here, the method that is digital signature scheme aforementioned public key verifications scheme modifying will be introduced.

Certifier in the model of public key verifications scheme when signer in digital signature scheme mates, can easily understand approximate to the model of digital signature scheme, because only certifier can persuade verification person.Based on this thought, will the method that be digital signature scheme above-mentioned public key verifications scheme modifying be described.

[4-1: be digital signature scheme 3 times public key verifications scheme modifyings]

First, by describing, the public key verifications scheme modifying of 3 times, be digital signature scheme.

(4-1-1: Digital Signature Algorithm (configuration example 1) (Figure 18))

As shown in Figure 18, utilize mutual and four operations (that is, operation #1 is to operating #4) of three times to represent the highly effective algorithm (for example,, referring to Fig. 6 and 8) relevant to 3 times schemes.

Operation #1 comprises generation a _i=(r _0i, t _0i, e _0i, r _1i, t _1i, e _1i, c _0i, c _1i, c _2i) process (1) and calculate Cmt<-H (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N) process (2).The Cmt being produced in operation #1 by certifier's algorithm P is sent to verification person's algorithm V.

Operation #2 comprises selection Ch ₁..., Ch _nprocess, the Ch being selected in #2 in operation by verification person's algorithm V ₁..., Ch _nbe sent to certifier's algorithm P.

Operation #3 comprises use Ch ₁..., Ch _nand a ₁..., a _nproduce Rsp ₁..., Rsp _nprocess.This process is represented as Rsp _i<-Select (Ch _i, a _i).The Rsp being produced in operation #3 by certifier's algorithm P ₁..., Rsp _nbe sent to verification person's algorithm V.

Operation #4 comprises use Ch ₁..., Ch _nand Rsp ₁..., Rsp _nreproduce c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2Nprocess (1) and the c use reproducing ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2Nverify Cmt=H (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N) process (2).

Utilize aforementioned operation #1 to the algorithm that operates the public key verifications scheme that #4 represents, to be modified to that the signature shown in Figure 18 produces algorithm Sig and signature is verified algorithm Ver.

(signature produces algorithm Sig)

First, will the structure of signature generation algorithm Sig be described.Signature produces algorithm Sig and comprises that process (1) is below to (5).

Process (1): signature produces algorithm Sig and produces a _i=(r _0i, t _0i, e _0i, r _1i, t _1i, e _1i, c _0i, c _1i, c _2i).

Process (2): signature produces algorithm Sig and calculates Cmt<-H (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N).

Process (3): signature produces algorithm Sig and calculates (Ch ₁..., Ch _n) <-H (M, Cmt).Here, M is the document that is attached with signature.

Process (4): signature produces algorithm Sig and calculates Rsp _i<-Select (Ch _i, a _i).

Process (5): signature produces algorithm Sig (Cmt, Rsp are set ₁..., Rsp _n) as signature.

(signature is verified algorithm Ver)

Next, will the structure of signature verification algorithm Ver be described.Signature is verified algorithm Ver and is comprised that process (1) is below to (3).

Process (1): signature is verified algorithm Ver and calculated (Ch ₁..., Ch _n) <-H (M, Cmt).

Process (2): signature is verified algorithm Ver and used Ch ₁..., Ch _nand Rsp ₁..., Rsp _nproduce c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N.

Process (3): signature is verified algorithm Ver and used the c reproducing ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2Nverify Cmt=H (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N).

As mentioned above, by the certifier in the model of coupling public key verifications scheme and the signer in digital signature scheme, the algorithm of public key verifications scheme can be modified to the algorithm of digital signature scheme.

(4-1-2: Digital Signature Algorithm (configuration example 2: high efficiency) (Figure 19))

Yet, when the signature shown in concern Figure 18 produces algorithm Sig, can recognize, in process (2) and (3), carry out the calculating of cryptographic Hash.In addition, when concern signature is verified algorithm Ver, can recognize, in process (1), carry out the calculating of the cryptographic Hash identical with the process (3) of signature generation algorithm Sig.When paying close attention to as shown in Figure 19 these processes, improve signature and produce algorithm Sig and sign while verifying the structure of algorithm Ver, can further improve computational efficiency.

(signature produces algorithm Sig)

First, with reference to Figure 19, the structure that improved signature produces algorithm Sig is described.Signature produces algorithm Sig and comprises that process (1) is below to (4).

Process (1): signature produces algorithm Sig and produces a _i=(r _0i, t _0i, e _0i, r _1i, t _1i, e _1i, c _0i, c _1i, c _2i).

Process (2): signature produces algorithm Sig and calculates (Ch ₁..., Ch _n) <-H (M, c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N).Here, M is the document that is attached with signature.

Process (3): signature produces algorithm Sig and calculates Rsp _i<-Select (Ch _i, a _i).

Process (4): signature produces algorithm Sig (Ch is set ₁..., Ch _n, Rsp ₁..., Rsp _n) as signature.

(signature is verified algorithm Ver)

Next, will the structure of improved signature verification algorithm Ver be described.Signature is verified algorithm Ver and is comprised process (1) and (2) below.

Process (1): signature is verified algorithm Ver and used Ch ₁..., Ch _nand Rsp ₁..., Rsp _nproduce c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N.

Process (2): signature is verified algorithm Ver and used the c reproducing ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2Nverify (Ch ₁..., Ch _n)=H (c ₀₁, c ₁₁, c ₂₁..., c _0N, c _1N, c _2N).

By improving as mentioned above signature, produce algorithm Sig and sign and verify the structure of algorithm Ver, the calculating of the cryptographic Hash in each algorithm reduces once, and has therefore improved computational efficiency.

[4-2: be digital signature scheme 5 times public key verifications scheme modifyings]

Next, by describing a public key verifications scheme modifying relevant to 5 times, be digital signature scheme.

(4-2-1: Digital Signature Algorithm (configuration example 1) (Figure 20))

As shown in Figure 20, utilize mutual and six operations (that is, operation #1 is to operating #6) of five times to represent the highly effective algorithm (for example,, referring to Figure 11,13 and 16) relevant to 5 times schemes.

Operation #1 comprises for i=1 to N generation a _i=(r _0i, t _0i, e _0i, r _1i, t _1i, e _1i, c _0i, c _1i) process (1) and calculate Cmt<-H (c ₀₁, c ₁₁..., c _0N, c _1N) process (2).The Cmt being produced in operation #1 by certifier's algorithm P is sent to verification person's algorithm V.

Operation #2 comprises selection Ch _a1..., Ch _aNprocess.The Ch being selected in operation #2 by verification person's algorithm V _a1..., Ch _aNbe sent to certifier's algorithm P.

Operation #3 comprises for i=1 to N generation b _i=(t _1i, e _1i) process.Here, the b being produced in operation #3 by certifier's algorithm P ₁..., b _nbe sent to verification person's algorithm V.

Operation #4 comprises selection Ch _b1..., Ch _bNprocess.The Ch being selected in operation #4 by verification person's algorithm V _b1..., Ch _bNbe sent to certifier's algorithm P.

Operation #5 comprises use Ch _b1..., Ch _bN, a ₁..., a _n, b ₁..., b _nproduce Rsp ₁..., Rsp _nprocess.This process is represented as Rsp _i<-Select (Ch _bi, a _i, b _i).The Rsp being produced in operation #5 by certifier's algorithm P ₁..., Rsp _nbe sent to verification person's algorithm V.

Operation #6 comprises use Ch _a1..., Ch _aN, Ch _b1..., Ch _bN, Rsp ₁..., Rsp _nreproduce c ₀₁, c ₁₁..., c _0N, c _1Nprocess (1) and the c use reproducing ₀₁, c ₁₁..., c _0N, c _1Nverify Cmt=H (c ₀₁, c ₁₁..., c _0N, c _1N) process (2).

Utilize aforementioned operation #1 to the algorithm that operates the public key verifications scheme that #6 represents, to be modified to that the signature shown in Figure 20 produces algorithm Sig and signature is verified algorithm Ver.

(signature produces algorithm Sig)

First, will the structure of signature generation algorithm Sig be described.Signature produces algorithm Sig and comprises that process (1) is below to (7).

Process (1): signature produces algorithm Sig and produces a _i=(r _0i, t _0i, e _0i, r _1i, t _1i, e _1i, c _0i, c _1i).

Process (2): signature produces algorithm Sig and calculates Cmt<-H (c ₀₁, c ₁₁..., c _0N, c _1N).

Process (3): signature produces algorithm Sig and calculates (Ch _a1..., Ch _aN) <-H (M, Cmt).Here, M is the document that is attached with signature.

Process (4): signature produces algorithm Sig and produces b for i=1 to N _i=(t _1i, e _1i).

Process (5): signature produces algorithm Sig and calculates (Ch _b1..., Ch _bN) <-H (M, Cmt, Ch _a1..., Ch _aN, b ₁..., b _n).In addition, can carry out modification (Ch _b1..., Ch _bN) <-H (Ch _a1..., Ch _aN, b ₁..., b _n).

Process (6): signature produces algorithm Sig and calculates Rsp _i<-Select (Ch _bi, a _i, b _i).

Process (7): signature produces algorithm Sig (Cmt, b are set ₁..., b _n, Rsp ₁..., Rsp _n) as digital signature.

(signature is verified algorithm Ver)

Next, will the structure of signature verification algorithm Ver be described.Signature is verified algorithm Ver and is comprised that process (1) is below to (4).

Process (1): signature is verified algorithm Ver and calculated (Ch _a1..., Ch _aN)=H (M, Cmt).

Process (2): signature is verified algorithm Ver and calculated (Ch _b1..., Ch _bN)=H (M, Cmt, Ch _a1..., Ch _aN, b ₁..., b _n).In the process (5) verifying algorithm Ver execution by signature, carry out and be revised as (Ch _b1..., Ch _bN)=H (Ch _a1..., Ch _aN, b ₁..., b _n) time, signature is verified algorithm Ver and is calculated (Ch _b1..., Ch _bN)=H (Ch _a1..., Ch _aN, b ₁..., b _n).

Process (3): signature is verified algorithm Ver and used Ch _a1..., Ch _aN, Ch _b1..., Ch _bN, Rsp ₁..., Rsp _nproduce c ₀₁, c ₁₁..., c _0N, c _1N.

Process (4): signature is verified algorithm Ver and used the c reproducing ₀₁, c ₁₁..., c _0N, c _1Nverify Cmt=H (c ₀₁, c ₁₁..., c _0N, c _1N).

As mentioned above, by the certifier in the model of coupling public key verifications scheme and the signer in digital signature scheme, the algorithm of public key verifications scheme can be modified to the algorithm of digital signature scheme.

(4-2-2: Digital Signature Algorithm (configuration example 2: high efficiency) (Figure 21))

As shown in Figure 21, utilize five times mutual and operate #1 for six times and represent another highly effective algorithm (for example,, referring to Figure 17) relevant to 5 times schemes to operating #6.

Operation #1 comprises for i=1 to N generation a _i=(r _0i, t _0i, e _0i, r _1i, t _1i, e _1i, c _0i, c _1i) process (1) and calculate Cmt _a<-H (c ₀₁, c ₁₁..., c _0N, c _1N) process (2).The Cmt being produced in operation #1 by certifier's algorithm P _abe sent to verification person's algorithm V.

Operation #2 comprises selection Ch _a1..., Ch _aNprocess.The Ch being selected in operation #2 by verification person's algorithm V _a1..., Ch _aNbe sent to certifier's algorithm P.

Operation #3 comprises for i=1 to N generation b _i=(t _1i, e _1i) process (1) and calculate Cmt _b<-H (b ₁..., b _n) process (2).The Cmt being produced in operation #3 by certifier's algorithm P _bbe sent to verification person's algorithm V.

Operation #4 comprises selection Ch _b1..., Ch _bNprocess.The Ch being selected in operation #4 by verification person's algorithm V _b1..., Ch _bNbe sent to certifier's algorithm P.

Operation #5 comprises use Ch _b1..., Ch _bN, a ₁..., a _n, b ₁..., b _nproduce Rsp ₁..., Rsp _nprocess.This process is represented as Rsp _i<-Select (Ch _bi, a _i, b _i).The Rsp being produced in operation #5 by certifier's algorithm P ₁..., Rsp _nbe sent to verification person's algorithm V.

Operation #6 comprises use Ch _a1..., Ch _aN, Ch _b1..., Ch _bN, Rsp ₁..., Rsp _nreproduce c ₀₁, c ₁₁..., c _0N, c _1N, b ₁..., b _nprocess (1), the c use reproducing ₀₁, c ₁₁..., c _0N, c _1Nverify Cmt _a=H (c ₀₁, c ₁₁..., c _0N, c _1N) process (2) and the b use reproducing ₁..., b _nverify Cmt _b=H (b ₁..., b _n) process (3).

Utilize aforementioned operation #1 to the algorithm that operates the public key verifications scheme that #6 represents, to be modified to that the signature shown in Figure 21 produces algorithm Sig and signature is verified algorithm Ver.

(signature produces algorithm Sig)

First, will the structure of signature generation algorithm Sig be described.Signature produces algorithm Sig and comprises that process (1) is below to (8).

Process (1): signature produces algorithm Sig and produces a _i=(r _0i, t _0i, e _0i, r _1i, t _1i, e _1i, c _0i, c _1i).

Process (2): signature produces algorithm Sig and calculates Cmt _a<-H (c ₀₁, c ₁₁..., c _0N, c _1N).

Process (3): signature produces algorithm Sig and calculates (Ch _a1..., Ch _aN) <-H (M, Cmt _a).Here, M is the document that is attached with signature.

Process (4): signature produces algorithm Sig and produces b for i=1 to N _i=(t _1i, e _1i).

Process (5): signature produces algorithm Sig and calculates Cmt _b<-H (b ₁..., b _n).

Process (6): signature produces algorithm Sig and calculates (Ch _b1..., Ch _bN) <-H (M, Cmt, Ch _a1..., Ch _aN, Cmt _b).In addition, can carry out modification (Ch _b1..., Ch _bN) <-H (Ch _a1..., Ch _aN, Cmt _b).

Process (7): signature produces algorithm Sig and calculates Rsp _i<-Select (Ch _bi, a _i, b _i).

Process (8): signature produces algorithm Sig (Cmt is set _a, Cmt _b, Rsp ₁..., Rsp _n) as digital signature.

(signature is verified algorithm Ver)

Next, will the structure of signature verification algorithm Ver be described.Signature is verified algorithm Ver and is comprised that process (1) is below to (5).

Process (1): signature is verified algorithm Ver and calculated (Ch _a1..., Ch _aN)=H (M, Cmt _a).

Process (2): signature is verified algorithm Ver and calculated (Ch _b1..., Ch _bN)=H (M, Cmt _a, Ch _a1..., Ch _aN, b ₁..., b _n, Cmt _b).In the process (6) verifying algorithm Ver execution by signature, carry out and be revised as (Ch _b1..., Ch _bN)=H (Ch _a1..., Ch _aN, Cmt _b) time, signature is verified algorithm Ver and is calculated (Ch _b1..., Ch _bN)=H (Ch _a1..., Ch _aN, Cmt _b).

Process (3): signature is verified algorithm Ver and used Ch _a1..., Ch _aN, Ch _b1..., Ch _bN, Rsp ₁..., Rsp _nproduce c ₀₁, c ₁₁..., c _0N, c _1N, b ₁..., b _n.

Process (4): signature is verified algorithm Ver and used the c reproducing ₀₁, c ₁₁..., c _0N, c _1Nverify Cmt _a=H (c ₀₁, c ₁₁..., c _0N, c _1N).

Process (5): signature is verified algorithm Ver and used the b reproducing ₁..., b _nverify Cmt _b=H (b ₁..., b _n).

As mentioned above, by the certifier in the model of coupling public key verifications scheme and the signer in digital signature scheme, the algorithm of public key verifications scheme can be modified to the algorithm of digital signature scheme.

<5: mixed type algorithm >

Describe: need to repeatedly carry out interaction protocol, so that the possibility that success is forged diminishes to ignoring.In addition, serial approach and parallel method have been described as the method for repeatedly carrying out interaction protocol.Especially, provide the example of specific Parallel Algorithm and described parallel method.Here, the mixed type algorithm of combination serial approach and parallel method will be introduced.

[5-1: the mixed type algorithm relevant to 3 times public key verifications schemes]

First, will the mixed type algorithm relevant to 3 times public key verifications schemes be described.

(5-1-1: parallel serial algorithm (Figure 22))

An example (following, to be called parallel serial structure) of mixed type structure is described with reference to Figure 22.Figure 22 means the algorithm with basic structure and the diagram with the algorithm of parallel serial structure.

The in the situation that of basic structure, at first pass, message Cmt is sent to verification person from certifier.At second time, cross-examine that Ch is sent to certifier from verification person.At the 3rd time, response Rsp is sent to verification person from certifier.

On the other hand, the in the situation that of parallel serial structure, at first pass, the message (Cmt of N time ₁..., Cmt _n) from certifier, sent to verification person.At second time, once cross-examine Ch ₁from verification person, sent to certifier.At the 3rd time, response Rsp once ₁from certifier, sent to verification person.Thereafter, between certifier and verification person, sequentially Ch is cross-examined in exchange ₂..., Ch _nwith response Rsp ₂..., Rsp _n.

In the situation that the parallel serial structure of the above-mentioned algorithm based on public key verifications scheme is guaranteed the fail safe for passive attack.In addition, mutual number of times is only 2N+1 time.In addition, when the message of N time that utilizes that a cryptographic Hash is collected in that first pass sends, can improve communication efficiency.

(5-1-2: serial parallel algorithm (Figure 23))

Another example (following, to be called serial parallel organization) of mixed type structure is described with reference to Figure 23.Figure 23 means the algorithm with basic structure and the diagram with the algorithm of serial parallel organization.

The in the situation that of basic structure, at first pass, message Cmt is sent to verification person from certifier.At second time, cross-examine that Ch is sent to certifier from verification person.At the 3rd time, response Rsp is sent to verification person from certifier.

The in the situation that of serial parallel organization, at first pass, message Cmt once ₁from certifier, sent to verification person.At second time, once cross-examine Ch ₁from verification person, sent to certifier.Thereafter, the Cmt that sequentially exchanges messages between certifier and verification person ₂..., Cmt _nwith cross-examine Ch ₂..., Ch _n.Cross-examining Ch _nby after verification person sends to certifier, the response Rsp of N time ₂..., Rsp _nfrom certifier, sent to verification person.

In the situation that the serial parallel organization of the above-mentioned algorithm based on public key verifications scheme is guaranteed the fail safe for active attack.In addition, mutual number of times is only 2N+1 time.

[5-2: the mixed type algorithm relevant to 5 times public key verifications schemes]

Next, will the mixed type algorithm relevant to 5 times public key verifications schemes be described.

(5-2-1: parallel serial algorithm (configuration example #1) (Figure 24))

First, an example (following, to be called parallel serial structure #1) of mixed type structure is described with reference to Figure 24.Figure 24 means the algorithm with basic structure and the diagram with the algorithm of parallel serial structure #1.

The in the situation that of basic structure, at first pass, message Cmt _afrom certifier, sent to verification person.At second time, digital Ch _afrom verification person, sent to certifier.At the 3rd time, vectorial Cmt _bfrom certifier, sent to verification person.At the 4th time, cross-examine Ch _bfrom verification person, sent to certifier.At the 5th time, response Rsp is sent to verification person from certifier.

The in the situation that of parallel serial structure #1, at first pass, the message (Cmt of N time _a1..., Cmt _aN) from certifier, sent to verification person.At second time, digital Ch once _a1from verification person, sent to certifier.At the 3rd time, vectorial Cmt once _b1from certifier, sent to verification person.At the 4th time, once cross-examine Ch _b1from verification person, sent to certifier.At the 5th time, response Rsp once ₁from certifier, sent to verification person.Certifier and verification person between sequentially exchange Ch thereafter, _a2..., Ch _aN, Cmt _b2..., Cmt _bN, Ch _b2..., Ch _bNwith response Rsp ₂..., Rsp _n.

The in the situation that of parallel serial structure #1, guarantee the fail safe for passive attack.In addition, mutual number of times is only 4N+1 time.In addition, when the message of N time that utilizes that a cryptographic Hash is collected in that first pass sends, can improve communication efficiency.

(5-2-2: parallel serial algorithm (configuration example #2) (Figure 25))

Next, another example (following, to be called parallel serial structure #2) of mixed type structure is described with reference to Figure 25.Figure 25 means the algorithm with basic structure and the diagram with the algorithm of parallel serial structure #2.

The in the situation that of parallel serial structure #2, at first pass, the message (Cmt of N time _a1..., Cmt _aN) from certifier, sent to verification person.At second time, the numeral (Ch of N time _a1..., Ch _aN) from verification person, sent to certifier.At the 3rd time, the vector (Cmt of N time _b1..., Cmt _bN) from certifier, sent to verification person.At the 4th time, once cross-examine Ch _b1from verification person, sent to certifier.At the 5th time, response Rsp once ₁from certifier, sent to verification person.Certifier and verification person between sequentially exchange Ch thereafter, _b2..., Ch _bN, response Rsp ₂..., Rsp _n.

The in the situation that of parallel serial structure #2, guarantee the fail safe for passive attack.In addition, mutual number of times is only 2N+3 time.In addition, during when the message of N time of utilizing a cryptographic Hash to be collected in first pass to send, at the vector of N time of the 3rd time transmission etc., can improve communication efficiency.

(5-2-3: serial parallel algorithm (configuration example #1) (Figure 26))

Next, another example (following, to be called serial parallel organization #1) of mixed type structure is described with reference to Figure 26.Figure 26 means the algorithm with basic structure and the diagram with the algorithm of serial parallel organization #1.

The in the situation that of serial parallel organization #1, at first pass, message Cmt once _a1from certifier, sent to verification person.At second time, digital Ch once _a1from verification person, sent to certifier.At the 3rd time, vectorial Cmt once _b1from certifier, sent to verification person.At the 4th time, once cross-examine Ch _b1from verification person, sent to certifier.Certifier and verification person between sequentially exchange Cmt thereafter, _a2..., Cmt _aN, Ch _a2..., Ch _aN,, Cmt _b2..., Cmt _bN, Ch _b2..., Ch _bN.Finally, the response (Rsp of N time ₁..., Rsp _n) from certifier, sent to verification person.

The in the situation that of serial parallel organization #1, guarantee the fail safe for active attack.In addition, mutual number of times is only 4N+1 time.

(5-2-4: serial parallel algorithm (configuration example #2) (Figure 27))

Next, another example (following, to be called serial parallel organization #2) of mixed type structure is described with reference to Figure 27.Figure 27 means the algorithm with basic structure and the diagram with the algorithm of serial parallel organization #2.

The in the situation that of serial parallel organization #2, at first pass, message Cmt once _a1from certifier, sent to verification person.At second time, digital Ch once _a1from verification person, sent to certifier.Certifier and verification person between sequentially exchange Cmt thereafter, _a2..., Cmt _aN, Ch _a2..., Ch _aN.Complete Ch _aNexchange after, the vector (Cmt of N time _b1..., Cmt _bN) from certifier, sent to verification person.Subsequently, N time cross-examine (Ch _b1..., Ch _b1) from verification person, sent to certifier.Finally, the response (Rsp of N time ₁..., Rsp _n) from certifier, sent to verification person.

The in the situation that of serial parallel organization #2, guarantee the fail safe for active attack.In addition, mutual number of times is only 2N+3 time.

The mixed type algorithm relevant to 5 times public key verifications schemes more than described.

<6: supplement >

Here, the description of aforementioned public key verifications scheme will be supplemented.

[6-1: the method that system parameters is set]

Here, the description of the method for parameters will be supplemented.

(coefficient of multinomial)

Below do not describe and how the coefficient of multinomial is set and for generation of the random number seed (following, to be called the coefficient of multinomial etc.) of coefficient.The coefficient of multinomial etc. can be the common parameter of system, or can be parameters different for each user.

Yet, when the coefficient of multinomial etc. is set to the common parameter of system, if find the weakness of multinomial, may need to upgrade the setting of whole system.In addition, for the average robustness of multinomial analysis (difficulty solving) with the coefficient of random selection, but be difficult to guarantee have enough robustnesses of the multinomial of some particular factor.

Therefore, the inventor of this technology has designed such structure: the coefficient that produces multinomial by the coefficient of using the character string selected by each user etc. and produce multinomial in the seed of pseudorandom number generator.For example, the method that can imagine comprises: the method for user's e-mail address and use the method for the character string of electronic mail pack address, update date etc. in seed in seed.When making in this way, even find weakness the multinomial with the coefficient producing from given character string, impact is also only confined to use the user with this coefficient.In addition, owing to only changing multinomial by changing character string, so can easily solve weakness.

The method that system parameters is set has more than been described.In description above, provided character string as an example, but can use different numeric strings or different symbol strings for each user.

(the quantity n of polynomial quantity m and variable)

Above-mentioned interaction protocol is guaranteed the fail safe for passive attack.Yet, when repeatedly carrying out interaction protocol concurrently, need condition described below so that proof is guaranteed the fail safe for active attack reliably.

Interaction protocol is above for verify the algorithm of " certifier knows the s that meets y=F (s) for y " to verification person by use one group key (PKI y and privacy key s).For this reason, when carrying out accept mutual in verification, verification person knows that the possibility of the information of indication " certifier uses s when mutual " is undeniable.In addition, for multinomial F, do not guarantee anti-collision (collision resistance).For this reason, when repeatedly carrying out aforementioned interaction protocol concurrently, difficult of proofly without any condition in the situation that, guarantee reliably the fail safe for active attack.

Therefore, even a kind of method that also makes verification person not know the information of indication " certifier uses s when mutual " when carrying out accept mutual in verification of inventor's inspected of this technology.In addition, even if the inventor of this technology has designed and a kind ofly also can guarantee the method for the fail safe of active attack when repeatedly carrying out aforementioned interaction protocol concurrently.This method is the multinomial f as PKI ₁..., f _mquantity m be set to be fully less than the method for value of the quantity n of variable.For example, m and n are set, so that 2 ^m-n<<1 (for example, when n=160 and m=80,2 ^-80<<1).

In the scheme of the difficulty that makes its fail safe based on the multistage polynary simultaneous equations of solution, even when providing privacy key s ₁during with the PKI pk corresponding with it, be also difficult to produce another privacy key s corresponding with PKI pk ₂.For this reason, when guaranteeing to have two or more privacy key s for PKI pk, even if also can make verification person not know the information of indication " certifier uses s when mutual " when carrying out accept mutual in verification.That is to say, when setting up this assurance, even also can guarantee the fail safe for active attack when repeatedly carrying out interaction protocol concurrently.

When consider to comprise the function F of the multistage polynomial quantity m with n variable: K with reference to Figure 29 ⁿ->K ^mwhen (wherein n>m), the quantity of element in territory without the definition of the second front picture is at most | K| ^m– 1.For this reason, as | K| ^m-nbe set to enough hour, the selection possibility of element in territory that can make not have the definition of the second front picture diminishes to ignoring.That is to say, when thering is the multistage polynomial f of n variable ₁..., f _mquantity m while being set to be fully less than the value of quantity n of variable, can guarantee to have two or more privacy key s for PKI pk.Therefore,, even when carrying out accept mutual in verification, also can make verification person not know the information of indication " certifier uses s when mutual ".Therefore, even if also guarantee the fail safe for active attack when repeatedly carrying out interaction protocol concurrently.

As mentioned above, by applying the multistage polynomial f with n variable ₁..., f _mquantity m be set to be fully less than the condition that arranges (n>m wherein, and preferably, 2 of value of the quantity n of variable ^m-n<<1), when repeatedly carrying out interaction protocol concurrently, can guarantee fail safe.

[6-2: to irregularly cross-examining the method for making response]

Here, will explain irregularly cross-examining the method for making response.

(6-2-1: certifier's response method)

Will consider that verification person gives the possibility make mistake and cross-examine in interaction protocol.For example, the in the situation that of 3 times schemes, certifier is message (c ₀, c ₁, c ₂) send to verification person, and verification person is cross-examining that Ch=0 sends to certifier.Thereafter, the response Rsp corresponding with cross-examining Ch=0 sent to verification person from certifier.Up to the present, executed is mutual normally.

Will suppose: verification person further cross-examinees and the response Rsp that cross-examinees that Ch=1 is corresponding to certifier thereafter.If certifier is in response to cross-examining that Ch=1 handle and this cross-examine that corresponding response Rsp sends to verification person, privacy key may be revealed to verification person.The leakage of actual capabilities generation privacy key.For example, verification person can cross-examine Ch=0 but not cross-examine Ch=1 and can further cross-examine and the response Rsp that cross-examinees that Ch=1 is corresponding pretending for second time to send.On the other hand, certifier may misread in the position of cross-examining Ch sending for second time and becomes different positions due to garble.

Therefore, the inventor of this technology designed a kind of when certifier for message once cross-examine with two or more methods cross-examine response corresponding to Ch time finish mutual or use new random number to restart mutual method as the method for avoiding the leakage of privacy key from first pass.When in this way, though when verification person pretend to cross-examine with two or more methods cross-examine response corresponding to Ch time, key does not betray the pot to the roses yet.

(6-2-2: verification person's response method)

Next, will consider that certifier pretends to cross-examine resends the possibility of cross-examining Ch.For example, suppose certifier in 3 times schemes message (c ₀, c ₁, c ₂) sending to verification person, verification person is cross-examining that Ch=0 sends to certifier, then certifier cross-examinees to resend and cross-examinees Ch.When verification person reselects at random in response to cross-examining while cross-examining Ch, there is the possibility of cross-examining Ch=1 that Ch=0 is different of cross-examining of selecting with previously transmission.In this case, cross-examine that Ch=1 is sent to certifier from verification person.Suppose that certifier can send to verification person the response Rsp corresponding with cross-examining Ch=1.

In this case, certifier can be to cross-examining that Ch=1 makes response, but may be not to cross-examining that Ch=0 makes response.That is to say, the possibility that certifier cheats verification person is undeniable.For example, because certifier loses, cross-examine Ch, so certifier may cross-examine to resend to verification person, cross-examine Ch.On the other hand, verification person may think cross-examining because garble is lost and resends and cross-examine Ch in response to cross-examining of certifier of previous transmission.Then, when resend cross-examine Ch be different from previous transmission cross-examine Ch time, forging may success.

From this example, can understand, owing to cross-examining that Ch is selected at random, so certifier may face the risk of forgery.Therefore, for the risk that does not occur forging, the inventor of this technology has designed and a kind ofly when certifier cross-examinees to send while cross-examining Ch for message once again, identical cross-examined Ch but not produce the method that new random number is improved interaction protocol by verification person being finished alternately or resend with last cross-examining.Should can use in this way the risk of eliminating forgery of cross-examining of cross-examining Ch for resending.

The safety method of making response to irregularly cross-examining has more than been described.In description above, illustrated the basic structure of 3 times.Yet, by also identical thought being applied to serial repetitive structure, parallel repetitive structure or mixed type repetitive structure, can improve fail safe.Certainly, this also can be applied to the algorithm relevant to 5 times.

<7: the example > of hardware configuration

By example as shown in Figure 28 the hardware configuration of messaging device can carry out each above-mentioned algorithm.That is to say, by using computer program to control the processing that the hardware shown in Figure 28 can be realized each algorithm.In addition, the pattern of this hardware is arbitrarily, and can be personal computer, personal digital assistant device (such as mobile phone, PHS or PDA), game machine, contact or contactless IC chip, contact or contactless IC card or various types of information equipment.In addition, PHS is the abbreviation of personal handyphone system.In addition, PDA is personal digital assistant's abbreviation.

As shown in Figure 28, this hardware mainly comprises: CPU 902, ROM 904, RAM 906, host bus 908 and bridge 910.In addition, this hardware comprises: external bus 912, interface 914, input unit 916, output unit 918, memory cell 920, driver 922, connectivity port 924 and communication unit 926.In addition, CPU is the abbreviation of CPU.In addition, ROM is the abbreviation of read-only memory.In addition, RAM is the abbreviation of random access memory.

CPU 902 is as for example calculation processing unit or control unit, and all operations were or part operation based on being recorded in various each structural detail of program control on ROM 904, RAM 906, memory cell 920 or removable recording medium 928.ROM 904 is for store the device such as the program that will load or the data of using in arithmetical operation etc. on CPU 902.RAM 906 stores such as the program that will load on CPU 902 or the various parameters that change arbitrarily in the execution of program etc. temporarily or for good and all.

These structural details are connected to each other by for example carrying out the host bus 908 of high speed data transfer.With regard to it, for example, host bus 908 is connected to external bus 912 by bridge 910, and the data transmission bauds of external bus 912 is relatively low.In addition, input unit 916 is for example mouse, keyboard, touch panel, button, switch or joystick.In addition, input unit 916 can be can be by the remote controller that uses infrared ray or other radio wave to transmit control signal.

Output unit 918 be for example can with the display unit of visual manner or the information of obtaining to user notification with audible means (such as, CRT, LCD, PDP or ELD), audio output device (such as, loud speaker or headphone), printer, mobile phone or facsimile machine.In addition, CRT is the abbreviation of cathode ray tube.LCD is the abbreviation of liquid crystal display.PDP is the abbreviation of plasma display.In addition, ELD is the abbreviation of electroluminescent display.

Memory cell 920 is the devices for store various kinds of data.Memory cell 920 is for example magnetic memory apparatus (such as, hard disk drive (HDD)), semiconductor storage, optical storage or magneto optical storage devices.HDD is the abbreviation of hard disk drive.

Driver 922 be read be recorded in removable recording medium 928 (such as, disk, CD, magneto optical disk or semiconductor memory) on information or in removable recording medium 928 device of write information.Removable recording medium 928 is such as dvd media, Blu-ray medium, HD-DVD medium, various types of semiconductor storage mediums etc.Certainly, removable recording medium 928 can be electronic installation or the IC-card that non-contact IC chip is for example installed.IC is the abbreviation of integrated circuit.

Connectivity port 924 is such as the port of USB port, IEEE1394 port, SCSI, RS-232C port or for connecting the port (such as, optical audio terminal) of the outside device 930 connecting.The outside device 930 connecting is for example printer, mobile music player, digital camera, digital video camera or IC register.In addition, USB is the abbreviation of USB.In addition, SCSI is the abbreviation of small computer system interface.

Communication unit 926 is the communicators that will be connected to network 932, and is for example for the communication card of wired or wireless LAN, Bluetooth (registered trade mark) or WUSB, optical communication router, adsl router or for the device of contact or contactless communication.Be connected to the network 932 of communication unit 926 by the net structure of wired connection or wireless connections, and be for example the Internet, family expenses LAN, infrared communication, visible light communication, broadcast or satellite communication.In addition, LAN is the abbreviation of local area network (LAN).In addition, WUSB is the abbreviation of Wireless USB.In addition, ADSL is the abbreviation of Asymmetrical Digital Subscriber Line.

<8: sum up >

Finally, will briefly describe according to the technology contents of the embodiment of this technology.Here the technology contents of explanation can be applied to various messaging devices, such as personal computer, mobile phone, game machine, information terminal, information equipment, auto-navigation system etc.In addition, the function of messaging device described below can be by realizing with single messaging device or with a plurality of messaging devices.In addition, for carrying out by messaging device described below data storage device and the arithmetic processing device processed, can be installed in messaging device, or can be installed on the device connecting through network.

The functional structure of aforementioned information treatment facility realizes as follows.For example, messaging device of describing in (1) below has the function of carrying out the algorithm relevant with the efficient public key verifications scheme of the difficulty that makes its fail safe based on the multistage polynary simultaneous equations of solution.

(1) messaging device, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Response provides unit, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(2) messaging device described in (1),

Wherein said message generating unit produces the message (wherein N >=2) of N time,

Wherein message provides once mutual of unit by using to provide the message of N time to verification person, and

Wherein response provide unit by using once alternately to verification person provide with by verification person for the response message of N time corresponding to the verification pattern of each message selection in the message of N time.

(3) messaging device, comprising:

Information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Pattern information provides unit, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With

Verify unit, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(4) messaging device described in (3),

The utilization of wherein said message acquiring unit once obtain alternately the message (wherein N >=2) of N time,

Wherein pattern information provides unit to select verification pattern for each message in the message of N time and utilizes the mutual information that the verification pattern of N time about selecting is provided to certifier once,

Wherein respond once mutual of acquiring unit utilization and obtain the response message of N time corresponding with the verification pattern of N time that selects from certifier, and

Wherein, when verifying for all message successes of N time, verification unit determines that certifier stores vectorial s.

(5) messaging device, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Average information generation unit, the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

Average information provides unit, and the 3rd information is offered to verification person; With

Response provides unit, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

(6) messaging device described in (5),

Wherein said message generating unit produces the message (wherein N >=2) of N time,

Wherein message provides once mutual of unit by using to provide the message of N time to verification person,

The 3rd information of the first information of average information generation unit based on being selected for each message in the message of N time by verification person and the second information generation of N time that obtains when producing message N time wherein,

Wherein average information provides once mutual of unit by using to provide the 3rd information of N time to verification person, and

Wherein response provide unit by using once alternately to verification person provide with by verification person for the response message of N time corresponding to the verification pattern of each message selection in the message of N time.

(7) messaging device, comprising:

Information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Information provides unit, and the first information of random selection is provided to the certifier who gives information;

Average information acquiring unit, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

Pattern information provides unit, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With

Verify unit, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

(8) messaging device described in (7),

The utilization of wherein said message acquiring unit once obtain alternately the message (wherein N >=2) of N time,

Wherein information provides unit for each message in the message of N time, select at random the first information and utilize the mutual first information of N time that selection is provided to certifier once;

Wherein average information acquiring unit obtains by the certifier first information based on N time and the 3rd information of N time of the second information generation of N time that obtains when the message that produces N time,

Wherein pattern information provides unit to select verification pattern for each message in the message of N time and utilizes the mutual information that the verification pattern of N time about selecting is provided to certifier once,

Wherein respond once mutual of acquiring unit utilization and obtain the response message of N time corresponding with the verification pattern of N time that selects from certifier, and

Wherein, when verifying for all message successes of N time, verification unit determines that certifier stores vectorial s.

(9) signature produces an equipment, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Mode selecting unit, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Response generation unit, produces the response message corresponding with the verification pattern of selecting; With

Signature provides unit, to verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(10) information processing method, comprises the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

To verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(11) information processing method, comprises the steps:

By messaging device, be stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Obtain based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

To the certifier who gives information, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

From certifier, obtain the response message corresponding with the verification pattern of selecting; With

Based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(12) information processing method, comprises the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

The first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

The 3rd information is offered to verification person; With

To verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

(13) information processing method, comprises the steps:

By messaging device, be stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Obtain based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

The first information of random selection is provided to the certifier who gives information;

Obtain the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

To certifier, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

From certifier, obtain the response message corresponding with the verification pattern of selecting; With

Based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

(14) a signature production method, comprises the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Produce the response message corresponding with the verification pattern of selecting; With

To verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(15) program, makes computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Response provides function, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(16) program, makes computer realization:

Information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Pattern information provides function, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With

Verify function, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(17) program, makes computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Average information produces function, and the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

Average information provides function, and the 3rd information is offered to verification person; With

Response provides function, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

(18) program, makes computer realization:

Information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Information provides function, and the first information of random selection is provided to the certifier who gives information;

Average information is obtained function, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

Pattern information provides function, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With

Verify function, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

(19) program, makes computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Model selection function, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Response produces function, produces the response message corresponding with the verification pattern of selecting; With

Signature provides function, to verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

(20) as the equipment as described in any one in (1) to (9), wherein above-mentioned m and n have the relation of m<n.

(21) equipment described in (20), wherein above-mentioned m and n have 2 ^m-nthe relation of <<1.

A computer readable recording medium storing program for performing, records on it as the program as described in any one in (15) to (19).

(remarks)

Aforementioned certifier's algorithm P is that message generating unit, message provide unit, response to provide unit, average information generation unit and average information that the example of unit is provided.In addition, aforementioned verification person's algorithm V is that information memory cell, message acquiring unit, pattern information provide unit, response acquiring unit, verify the example of unit and average information acquiring unit.

More than describe the preferred embodiments of the present invention with reference to the accompanying drawings, but the present invention is not limited to above example certainly.Those skilled in the art can find various changes and modification within the scope of the appended claims, and should be appreciated that, they will drop in technical scope of the present invention naturally.

Label list

Gen key produces algorithm

P certifier algorithm

V verification person algorithm

Sig signature produces algorithm

Ver signature is verified algorithm

Claims (according to the modification of the 19th of treaty)

1. a messaging device, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Response provides unit, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

2. messaging device as claimed in claim 1,

Wherein said message generating unit produces the message (wherein N >=2) of N time,

Wherein message provides once mutual of unit by using to provide the message of N time to verification person, and

Wherein response provide unit by using once alternately to verification person provide with by verification person for the response message of N time corresponding to the verification pattern of each message selection in the message of N time.

3. a messaging device, comprising:

Information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Pattern information provides unit, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With

Verify unit, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

4. messaging device as claimed in claim 3,

The utilization of wherein said message acquiring unit once obtain alternately the message (wherein N >=2) of N time,

Wherein pattern information provides unit to select verification pattern for each message in the message of N time and utilizes the mutual information that the verification pattern of N time about selecting is provided to certifier once,

Wherein respond once mutual of acquiring unit utilization and obtain the response message of N time corresponding with the verification pattern of N time that selects from certifier, and

Wherein, when verifying for all message successes of N time, verification unit determines that certifier stores vectorial s.

5. a messaging device, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Average information generation unit, the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

Average information provides unit, and the 3rd information is offered to verification person; With

Response provides unit, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

6. messaging device as claimed in claim 5,

Wherein said message generating unit produces the message (wherein N >=2) of N time,

Wherein message provides once mutual of unit by using to provide the message of N time to verification person,

The 3rd information of the first information of average information generation unit based on being selected for each message in the message of N time by verification person and the second information generation of N time that obtains when producing message N time wherein,

Wherein average information provides once mutual of unit by using to provide the 3rd information of N time to verification person, and

Wherein response provide unit by using once alternately to verification person provide with by verification person for the response message of N time corresponding to the verification pattern of each message selection in the message of N time.

7. a messaging device, comprising:

Information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Information provides unit, and the first information of random selection is provided to the certifier who gives information;

Average information acquiring unit, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

Pattern information provides unit, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With

Verify unit, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

8. messaging device as claimed in claim 7,

The wherein said message acquiring unit utilization mutual message (wherein N >=2) that produces N time once,

Wherein information provides unit for each message in the message of N time, select at random the first information and utilize the mutual first information of N time that selection is provided to certifier once;

Wherein average information acquiring unit obtains by the certifier first information based on N time and the 3rd information of N time of the second information generation of N time that obtains when the message that produces N time,

Wherein pattern information provides unit to select verification pattern for each message in the message of N time and utilizes the mutual information that the verification pattern of N time about selecting is provided to certifier once,

Wherein respond once mutual of acquiring unit utilization and obtain the response message of N time corresponding with the verification pattern of N time that selects from certifier, and

Wherein, when verifying for all message successes of N time, verification unit determines that certifier stores vectorial s.

9. a signature generation equipment, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Mode selecting unit, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Response generation unit, produces the response message corresponding with the verification pattern of selecting; With

Signature provides unit, to verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

10. an information processing method, comprises the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

To verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

11. 1 kinds of information processing methods, comprise the steps:

By messaging device, be stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Obtain based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

To the certifier who gives information, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

From certifier, obtain the response message corresponding with the verification pattern of selecting; With

Based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

12. 1 kinds of information processing methods, comprise the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

The first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

The 3rd information is offered to verification person; With

To verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

13. 1 kinds of information processing methods, comprise the steps:

By messaging device, be stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Obtain based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

The first information of random selection is provided to the certifier who gives information;

Obtain the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

To certifier, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

From certifier, obtain the response message corresponding with the verification pattern of selecting; With

Based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

14. 1 kinds of signature production methods, comprise the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Produce the response message corresponding with the verification pattern of selecting; With

To verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

15. 1 kinds of programs, make computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Response provides function, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

16. 1 kinds of programs, make computer realization:

Information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Pattern information provides function, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With

Verify function, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

17. 1 kinds of programs, make computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Average information produces function, and the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

Average information provides function, and the 3rd information is offered to verification person; With

Response provides function, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

18. 1 kinds of programs, make computer realization:

Information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Information provides function, and the first information of random selection is provided to the certifier who gives information;

Average information is obtained function, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

Pattern information provides function, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With

Verify function, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

19. 1 kinds of programs, make computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Model selection function, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Response produces function, produces the response message corresponding with the verification pattern of selecting; With

Signature provides function, to verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F is PKI or system parameters, and vectorial y is PKI,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

Claims (19)

1. a messaging device, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Response provides unit, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

2. messaging device as claimed in claim 1,

Wherein said message generating unit produces the message (wherein N >=2) of N time,

Wherein message provides once mutual of unit by using to provide the message of N time to verification person, and

Wherein response provide unit by using once alternately to verification person provide with by verification person for the response message of N time corresponding to the verification pattern of each message selection in the message of N time.

3. a messaging device, comprising:

Information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Pattern information provides unit, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With

Verify unit, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

4. messaging device as claimed in claim 3,

The utilization of wherein said message acquiring unit once obtain alternately the message (wherein N >=2) of N time,

Wherein pattern information provides unit to select verification pattern for each message in the message of N time and utilizes the mutual information that the verification pattern of N time about selecting is provided to certifier once,

Wherein respond once mutual of acquiring unit utilization and obtain the response message of N time corresponding with the verification pattern of N time that selects from certifier, and

Wherein, when verifying for all message successes of N time, verification unit determines that certifier stores vectorial s.

5. a messaging device, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Average information generation unit, the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

Average information provides unit, and the 3rd information is offered to verification person; With

Response provides unit, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

6. messaging device as claimed in claim 5,

Wherein said message generating unit produces the message (wherein N >=2) of N time,

Wherein message provides once mutual of unit by using to provide the message of N time to verification person,

The 3rd information of the first information of average information generation unit based on being selected for each message in the message of N time by verification person and the second information generation of N time that obtains when producing message N time wherein,

Wherein average information provides once mutual of unit by using to provide the 3rd information of N time to verification person, and

Wherein response provide unit by using once alternately to verification person provide with by verification person for the response message of N time corresponding to the verification pattern of each message selection in the message of N time.

7. a messaging device, comprising:

Information memory cell, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message acquiring unit, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Information provides unit, and the first information of random selection is provided to the certifier who gives information;

Average information acquiring unit, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

Pattern information provides unit, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Response acquiring unit, obtains the response message corresponding with the verification pattern of selecting from certifier; With

Verify unit, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

8. messaging device as claimed in claim 7,

The utilization of wherein said message acquiring unit once obtain alternately the message (wherein N >=2) of N time,

Wherein information provides unit for each message in the message of N time, select at random the first information and utilize the mutual first information of N time that selection is provided to certifier once;

Wherein average information acquiring unit obtains by the certifier first information based on N time and the 3rd information of N time of the second information generation of N time that obtains when the message that produces N time,

Wherein pattern information provides unit to select verification pattern for each message in the message of N time and utilizes the mutual information that the verification pattern of N time about selecting is provided to certifier once,

Wherein respond once mutual of acquiring unit utilization and obtain the response message of N time corresponding with the verification pattern of N time that selects from certifier, and

Wherein, when verifying for all message successes of N time, verification unit determines that certifier stores vectorial s.

9. a signature generation equipment, comprising:

Message generating unit, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides unit, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Mode selecting unit, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Response generation unit, produces the response message corresponding with the verification pattern of selecting; With

Signature provides unit, to verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

10. an information processing method, comprises the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

To verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

11. 1 kinds of information processing methods, comprise the steps:

By messaging device, be stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Obtain based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

To the certifier who gives information, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

From certifier, obtain the response message corresponding with the verification pattern of selecting; With

Based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

12. 1 kinds of information processing methods, comprise the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

The first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

The 3rd information is offered to verification person; With

To verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

13. 1 kinds of information processing methods, comprise the steps:

By messaging device, be stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Obtain based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

The first information of random selection is provided to the certifier who gives information;

Obtain the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

To certifier, provide a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

From certifier, obtain the response message corresponding with the verification pattern of selecting; With

Based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

14. 1 kinds of signature production methods, comprise the steps:

One group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Produce the response message corresponding with the verification pattern of selecting; With

To verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

15. 1 kinds of programs, make computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Response provides function, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=3),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

16. 1 kinds of programs, make computer realization:

Information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Pattern information provides function, to the certifier who gives information, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With

Verify function, based on message, described one group of multistage multinomial F, vectorial y and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

17. 1 kinds of programs, make computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Average information produces function, and the first information based on by the random selection of verification person and the second information obtaining when producing message produce the 3rd information;

Average information provides function, and the 3rd information is offered to verification person; With

Response provides function, and to verification person, provide with verification person and plant response message corresponding to the verification pattern selected among verification pattern from k (wherein k >=2),

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

18. 1 kinds of programs, make computer realization:

Information storage function, is stored in the one group of multistage multinomial F=(f defining in ring K ₁..., f _m) and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s));

Message is obtained function, obtains based on described one group of multistage multinomial F with as set K ⁿthe message that produces of the vectorial s of element;

Information provides function, and the first information of random selection is provided to the certifier who gives information;

Average information is obtained function, obtains the 3rd information that certifier produces based on the first information and the second information of obtaining when producing message;

Pattern information provides function, to certifier, provides a kind of information of verifying pattern about selecting at random among planting verification pattern from k (wherein k >=3);

Function is obtained in response, from certifier, obtains the response message corresponding with the verification pattern of selecting; With

Verify function, based on message, the first information, the 3rd information, described one group of multistage multinomial F and response message, verify certifier and whether store vectorial s,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information that the calculating by preparing for the verification pattern corresponding with response message in advance based on PKI, the first information, the 3rd information and response message execution obtains, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for linear mode arranges described one group of multistage multinomial F.

19. 1 kinds of programs, make computer realization:

Message produces function, one group of multistage multinomial F=(f based on defining in ring K ₁..., f _m) and as set K ⁿthe vectorial s of element produce message;

Message provides function, and message is offered to the described one group of multistage multinomial F of storage and vectorial y=(y ₁..., y _m)=(f ₁(s) ..., f _m(s) verification person);

Model selection function, based on selecting a kind of verification pattern by document M and message being input to the numerical value that one-way function obtains among k (wherein k >=3) plants verification pattern;

Response produces function, produces the response message corresponding with the verification pattern of selecting; With

Signature provides function, to verification person give information and response message as signature,

Wherein said vectorial s is privacy key,

Wherein said one group of multistage multinomial F and vectorial y are PKIs,

Wherein message is the information obtaining by carry out the calculating of preparing for the verification pattern corresponding with response message in advance based on PKI and response message, and

Wherein said one group of multistage multinomial F comprises m cubic polynomial f ₁..., f _mand to be defined as G ₁(x ₁, x ₂)+G ₂(x ₁, x ₂)=F (x ₁+ x ₂)-F (x ₁)-F (x ₂) G ₁(x ₁, x ₂) and G ₂(x ₁, x ₂) respectively about x ₁and x ₂for adding the mode of homomorphism, described one group of multistage multinomial F is set.

Images